diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index 70a990a885..016f1295f1 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -10,7 +10,7 @@ ms.localizationpriority: high
ms.date: 09/13/2017 #Previsou release date
---
-
+
# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
@@ -24,7 +24,7 @@ By using Group Policy and Intune, you can set up a policy setting once, and then
> For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
## Group Policy settings
-Microsoft Edge works with the following Group Policy settings to help you manager your company's web browser configurations. The Group Policy settings are found in the Group Policy Editor in the following location:
+Microsoft Edge works with the following Group Policy settings to help you manage your company's web browser configurations. The Group Policy settings are found in the Group Policy Editor in the following location:
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\`
@@ -38,9 +38,8 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
| If you... | Then... |
| --- | --- |
-| Enable this setting (default) | Employees can see the Address bar drop-down functionality in Microsoft Edge. |
-| Disable this setting | Employees do not see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type."
Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. |
-|
+| Enable (default) | Employees can see the Address bar drop-down functionality in Microsoft Edge. |
+| Disable | Employees do not see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type."
Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. |
### Allow Adobe Flash
>*Supporteded version: Windows 10*
@@ -48,9 +47,8 @@ This policy setting lets you decide whether the Address bar drop-down functional
This policy setting lets you decide whether employees can run Adobe Flash on Microsoft Edge.
| If you… | Then… |
| --- | --- |
-| Enable or don’t configure this setting (default) | Employees can use Adobe Flash. |
-| Disable this setting | Employees cannot use Adobe Flash. |
-|
+| Enable or don’t configure (default) | Employees can use Adobe Flash. |
+| Disable | Employees cannot use Adobe Flash. |
### Allow clearing browsing data on exit
>*Supporteded versions: Windows 10, version 1703*
@@ -58,9 +56,8 @@ This policy setting lets you decide whether employees can run Adobe Flash on Mic
This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Clear browsing history on exit is turned on. |
-| Disable or don’t configure this setting (default) | Employees can turn on and configure the Clear browsing data option under Settings. |
-|
+| Enable | Clear browsing history on exit is turned on. |
+| Disable or don’t configure (default) | Employees can turn on and configure the Clear browsing data option under Settings. |
### Allow Developer Tools
>*Supporteded versions: Windows 10, version 1511 or later*
@@ -68,19 +65,17 @@ This policy setting allows the automatic clearing of browsing data when Microsof
This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.
| If you… | Then… |
| --- | --- |
-| Enable this setting (default) | F12 Developer Tools are available. |
-| Disable this setting | F12 Developer Tools are not available. |
-|
+| Enable (default) | F12 Developer Tools are available. |
+| Disable | F12 Developer Tools are not available. |
### Allow Extensions
>*Supporteded versions: Windows 10, version 1607 or later*
-This policy setting lets you decide whether employees can use Edge Extensions.
+This policy setting lets you decide whether employees can use Microsft Edge Extensions.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees can use Edge Extensions. |
-| Disable this setting | Employees cannot use Edge Extensions. |
-|
+| Enable | Employees can use Microsoft Edge Extensions. |
+| Disable | Employees cannot use Microsoft Edge Extensions. |
### Allow InPrivate browsing
>*Supporteded versions: Windows 10, version 1511 or later*
@@ -88,9 +83,8 @@ This policy setting lets you decide whether employees can use Edge Extensions.
This policy setting lets you decide whether employees can browse using InPrivate website browsing.
| If you… | Then… |
| --- | --- |
-| Enable this setting (default) | Employees can use InPrivate website browsing. |
-| Disable this setting | Employees cannot use InPrivate website browsing. |
-|
+| Enable (default) | Employees can use InPrivate website browsing. |
+| Disable | Employees cannot use InPrivate website browsing. |
### Allow Microsoft Compatibility List
>*Supporteded versions: Windows 10, version 1607 or later*
@@ -98,9 +92,8 @@ This policy setting lets you decide whether employees can browse using InPrivate
This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat.
| If you… | Then… |
| --- | --- |
-| Enable this setting (default) | Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation . Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site renders as though it’s in whatever version of IE is necessary for it to appear properly. |
-| Disable this setting | Browser navigation does not use the Microsoft Compatibility List. |
-|
+| Enable (default) | Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation . Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site renders as though it’s in whatever version of IE is necessary for it to appear properly. |
+| Disable | Browser navigation does not use the Microsoft Compatibility List. |
### Allow search engine customization
>*Supported versions: Windows 10, version 1703*
@@ -111,20 +104,18 @@ For more info, see the [Microsoft browser extension policy](http://aka.ms/browse
| If you… | Then… |
| --- | --- |
-| Enable or don’t configure this setting (default) | Employees can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings. |
-| Disable this setting | Employees cannot add search engines or change the default used in the Address bar. |
-|
+| Enable or don’t configure (default) | Employees can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings. |
+| Disable | Employees cannot add search engines or change the default used in the Address bar. |
### Allow web content on New Tab page
>*Supported versions: Windows 10*
-This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it.
+This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees cannot change it.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Microsoft Edge opens a new tab with the New Tab page. |
-| Disable this setting | Microsoft Edge opens a new tab with a blank page. |
-| Do not configure this setting (default) | Employees can choose how new tabs appear. |
-|
+| Enable | Microsoft Edge opens a new tab with the New Tab page. |
+| Disable | Microsoft Edge opens a new tab with a blank page. |
+| Do not configure (default) | Employees can choose how new tabs appear. |
### Configure additional search engines
>*Supported versions: Windows 10, version 1703*
@@ -132,9 +123,8 @@ This policy setting lets you configure what appears when Microsoft Edge opens a
This policy setting lets you add up to 5 additional search engines, which cannot be removed by your employees but can make a personal default engine. This setting does not set the default search engine. For that, you must use the "Set default search engine" setting.
| If you… | Then… |
| --- | --- |
-| Enable this setting | You can add up to 5 additional search engines. For each additional search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:
``
For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. | Disable this setting (default) | Any added search engines are removed from the employee’s device. |
-| Do not configure this setting | The search engine list is set to what is specified in App settings. |
-|
+| Enable | You can add up to 5 additional search engines. For each additional search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:
``
For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. | Disable setting (default) | Any added search engines are removed from the employee’s device. |
+| Do not configure | The search engine list is set to what is specified in App settings. |
### Configure Autofill
>*Supported versions: Windows 10*
@@ -142,10 +132,9 @@ This policy setting lets you add up to 5 additional search engines, which cannot
This policy setting lets you decide whether employees can use Autofill the form fields automatically while using Microsoft Edge. By default, employees can choose whether to use Autofill.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees can use Autofill to populate form fields automatically. |
-| Disable this setting | Employees cannot use Autofill to populate form fields automatically. |
-| Do not configure this setting (default) | Employees can choose whether to use Autofill to populate the form fields automatically. |
-|
+| Enable | Employees can use Autofill to populate form fields automatically. |
+| Disable | Employees cannot use Autofill to populate form fields automatically. |
+| Do not configure (default) | Employees can choose whether to use Autofill to populate the form fields automatically. |
### Configure cookies
>*Supported versions: Windows 10*
@@ -153,9 +142,8 @@ This policy setting lets you decide whether employees can use Autofill the form
This setting lets you configure how to work with cookies.
| If you… | Then… |
| --- | --- |
-| Enable this setting (default) | You must also decide whether to:
**Allow all cookies (default)** from all websites.
**Block all cookies** from all websites.
**Block only 3rd-party cookies** from 3rd-party websites.
|
-| Disable or do not configure this setting | All cookies are allowed from all sites. |
-|
+| Enable (default) | You must also decide whether to:
**Allow all cookies (default)** from all websites.
**Block all cookies** from all websites.
**Block only 3rd-party cookies** from 3rd-party websites.
|
+| Disable or do not configure | All cookies are allowed from all sites. |
### Configure Do Not Track
>*Supported versions: Windows 10*
@@ -163,10 +151,9 @@ This setting lets you configure how to work with cookies.
This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests are never sent, but employees can choose to turn on and send requests.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Do Not Track requests are always sent to websites asking for tracking information. |
-| Disable this setting | Do Not Track requests are never sent to websites asking for tracking information. |
-| Do not configure this setting (default) | Employees can choose whether to send Do Not Track requests to websites asking for tracking information. |
-|
+| Enable | Do Not Track requests are always sent to websites asking for tracking information. |
+| Disable | Do Not Track requests are never sent to websites asking for tracking information. |
+| Do not configure (default) | Employees can choose whether to send Do Not Track requests to websites asking for tracking information. |
### Configure Favorites
>*Supported versions: Windows 10, version 1511 or later*
@@ -174,9 +161,8 @@ This policy setting lets you decide whether employees can send Do Not Track requ
This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time.
| If you… | Then… |
| --- | --- |
-| Enable this setting | You must provide a list of Favorites in the Options section. The list imports automatically after you deploy this policy. |
-| Disable or do not configure this setting | Employees will see the Favorites that they set in the Favorites hub. |
-|
+| Enable | You must provide a list of Favorites in the Options section. The list imports automatically after you deploy this policy. |
+| Disable or do not configure | Employees will see the Favorites that they set in the Favorites hub. |
### Configure Password Manager
>*Supported versions: Windows 10*
@@ -184,10 +170,9 @@ This policy setting lets you configure the default list of Favorites that appear
This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on.
| If you… | Then… |
| --- | --- |
-| Enable this setting (default) | Employees can use Password Manager to save their passwords locally. |
-| Disable this setting | Employees can’t use Password Manager to save their passwords locally. |
-| Do not configure this setting | Employees can choose whether to use Password Manager to save their passwords locally. |
-|
+| Enable (default) | Employees can use Password Manager to save their passwords locally. |
+| Disable | Employees cannot use Password Manager to save their passwords locally. |
+| Do not configure | Employees can choose whether to use Password Manager to save their passwords locally. |
### Configure Pop-up Blocker
>*Supported versions: Windows 10*
@@ -195,10 +180,9 @@ This policy setting lets you decide whether employees can save their passwords l
This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.
| If you… | Then… |
| --- | --- |
-| Enable this setting (default) | Pop-up Blocker is turned on, stopping pop-up windows from appearing. |
-| Disable this setting | Pop-up Blocker is turned off, letting pop-up windows appear. |
-| Do not configure this setting | Employees can choose whether to use Pop-up Blocker. |
-|
+| Enable (default) | Pop-up Blocker is turned on, stopping pop-up windows from appearing. |
+| Disable | Pop-up Blocker is turned off, letting pop-up windows appear. |
+| Do not configure | Employees can choose whether to use Pop-up Blocker. |
### Configure search suggestions in Address bar
>*Supported versions: Windows 10*
@@ -206,10 +190,9 @@ This policy setting lets you decide whether to turn on Pop-up Blocker. By defaul
This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees can see search suggestions in the Address bar. |
-| Disable this setting | Employees cannot see search suggestions in the Address bar. |
-| Do not configure this setting (default) | Employees can choose whether search suggestions appear in the Address bar. |
-|
+| Enable | Employees can see search suggestions in the Address bar. |
+| Disable | Employees cannot see search suggestions in the Address bar. |
+| Do not configure (default) | Employees can choose whether search suggestions appear in the Address bar. |
### Configure Start pages
>*Supported versions: Windows 10, version 1511 or later*
@@ -217,9 +200,8 @@ This policy setting lets you decide whether search suggestions appear in the Add
This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees will not be able to change this after you set it.
| If you… | Then… |
| --- | --- |
-| Enable this setting | You must include URLs to the pages, separating multiple pages by using angle brackets in this format:
`` |
-| Disable or do not configure this setting (default) | The default Start page is the webpage specified in App settings. |
-|
+| Enable | You must include URLs to the pages, separating multiple pages by using angle brackets in this format:
`` |
+| Disable or do not configure (default) | The default Start page is the webpage specified in App settings. |
### Configure the Adobe Flash Click-to-Run setting
>*Supported versions: Windows 10, version 1703*
@@ -227,9 +209,8 @@ This policy setting lets you configure one or more Start pages, for domain-joine
This policy setting lets you decide whether employees must take action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
| If you… | Then… |
| --- | --- |
-| Enable or don’t configure this setting< | Employees must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. |
-| Disable this setting | Adobe Flash loads automatically and runs in Microsoft Edge. |
-|
+| Enable or don’t configure | Employees must click the content, click the Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. |
+| Disable | Adobe Flash loads automatically and runs in Microsoft Edge. |
### Configure the Enterprise Mode Site List
>*Supported versions: Windows 10*
@@ -237,9 +218,8 @@ This policy setting lets you decide whether employees must take action, such as
This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.
| If you… | Then… |
| --- | --- |
-| Enable this setting | You must add the location to your site list in the **{URI}** box. When configured, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. |
-Disable or do not configure this setting (default) | Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. |
-|
+| Enable | You must add the location to your site list in the **{URI}** box. When configured, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. |
+Disable or do not configure (default) | Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. |
>[!Note]
>If there is a .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server has a different version number than the version in the cache container, the server file is used and stored in the cache container.
@@ -251,10 +231,9 @@ Disable or do not configure this setting (default) | Microsoft Edge won’t use
This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Windows Defender SmartScreen is turned on, and employees cannot turn it off. |
-| Disable this setting | Windows Defender SmartScreen is turned off, and employees cannot turn it on. |
-| Do not configure this setting | Employees can choose whether to use Windows Defender SmartScreen. |
-|
+| Enable | Windows Defender SmartScreen is turned on, and employees cannot turn it off. |
+| Disable | Windows Defender SmartScreen is turned off, and employees cannot turn it on. |
+| Do not configure | Employees can choose whether to use Windows Defender SmartScreen. |
### Disable lockdown of Start pages
>*Supported versions: Windows 10, version 1703*
@@ -265,9 +244,8 @@ For more info, see the [Microsoft browser extension policy](http://aka.ms/browse
| If you… | Then… |
| --- | --- |
-| Enable this setting | You cannot lock down Start pages that are configured using the “Configure Start pages” setting. Employees can, therefore, modify the pages. |
-| Disable or do not configure this setting (default) | Employees cannot change Start pages configured using the “Configure Start pages” setting. |
-|
+| Enable | You cannot lock down Start pages that are configured using the “Configure Start pages” setting. Employees can, therefore, modify the pages. |
+| Disable or do not configure (default) | Employees cannot change Start pages configured using the “Configure Start pages” setting. |
### Keep favorites in sync between Internet Explorer and Microsoft Edge
>*Supported versions: Windows 10, version 1703*
@@ -278,9 +256,8 @@ This policy setting lets you decide whether people can sync their favorites betw
[@Reviewer: what is the default: enable or disable?] -->
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees can sync their favorites between Internet Explorer and Microsoft Edge.
Enabling this setting stops Edge favorites from syncing between connected Windows 10 devices. |
-| Disable or do not configure this setting | Employees cannot sync their favorites between Internet Explorer and Microsoft Edge. |
-|
+| Enable | Employees can sync their favorites between Internet Explorer and Microsoft Edge.
Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices. |
+| Disable or do not configure | Employees cannot sync their favorites between Internet Explorer and Microsoft Edge. |
### Prevent access to the about:flags page
>*Supported versions: Windows 10, version 1607 or later*
@@ -288,9 +265,8 @@ This policy setting lets you decide whether people can sync their favorites betw
This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees cannot access the about:flags page. |
-| Disable or do not configure this setting (default) | Employees can access the about:flags page. |
-|
+| Enable | Employees cannot access the about:flags page. |
+| Disable or do not configure (default) | Employees can access the about:flags page. |
### Prevent bypassing Windows Defender SmartScreen prompts for files
>*Supported versions: Windows 10, version 1511 or later*
@@ -298,18 +274,16 @@ This policy setting lets you decide whether employees can access the about:flags
This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees cannot ignore Windows Defender SmartScreen warnings when downloading files. |
-| Disable or do not configure this setting (default) | Employees can ignore Windows Defender SmartScreen warnings and can continue the download process. |
-|
+| Enable | Employees cannot ignore Windows Defender SmartScreen warnings when downloading files. |
+| Disable or do not configure (default) | Employees can ignore Windows Defender SmartScreen warnings and can continue the download process. |
### Prevent bypassing Windows Defender SmartScreen prompts for sites
>*Supported versions: Windows 10, version 1511 or later*
This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees cannot ignore Windows Defender SmartScreen warnings and prevents them from continuing to the site. |
-| Disable or do not configure this setting (default) | Employees can ignore Windows Defender SmartScreen warnings, allowing them to continue to the site. |
-|
+| Enable | Employees cannot ignore Windows Defender SmartScreen warnings and prevents them from continuing to the site. |
+| Disable or do not configure (default) | Employees can ignore Windows Defender SmartScreen warnings, allowing them to continue to the site. |
### Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
>*Supported versions: Windows 10, version 1703*
@@ -317,9 +291,8 @@ This policy setting lets you decide whether employees can override the Windows D
This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Microsoft Edge does not gather the Live Tile metadata, providing a minimal experience. |
-| Disable or do not configure this setting (default) | Microsoft Edge gathers the Live Tile metadata, providing a fuller and complete experience. |
-|
+| Enable | Microsoft Edge does not gather the Live Tile metadata, providing a minimal experience. |
+| Disable or do not configure (default) | Microsoft Edge gathers the Live Tile metadata, providing a fuller and complete experience. |
### Prevent the First Run webpage from opening on Microsoft Edge
@@ -328,9 +301,8 @@ This policy lets you decide whether Microsoft Edge can gather Live Tile metadata
This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time.
| If you… | Then… |
| --- | --- |
-| Enable this settin | Employees do not see the First Run page. |
-| Disable or do not configure this setting (default) | Employees see the First Run page. |
-|
+| Enable | Employees do not see the First Run page. |
+| Disable or do not configure (default) | Employees see the First Run page. |
### Prevent using Localhost IP address for WebRTC
>*Supported versions: Windows 10, version 1511 or later*
@@ -338,9 +310,8 @@ This policy setting lets you decide whether employees see Microsoft's First Run
This policy setting lets you decide whether localhost IP addresses are visible or hidden while making calls to the WebRTC protocol.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Localhost IP addresses are hidden. |
-| Disable or do not configure this setting (default) | Localhost IP addresses are visible. |
-|
+| Enable | Localhost IP addresses are hidden. |
+| Disable or do not configure (default) | Localhost IP addresses are visible. |
### Send all intranet sites to Internet Explorer 11
>*Supported versions: Windows 10*
@@ -348,9 +319,8 @@ This policy setting lets you decide whether localhost IP addresses are visible o
This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.
| If you… | Then… |
| --- | --- |
-| Enable this setting | All intranet sites are opened in Internet Explorer 11 automatically. |
-| Disable or do not configure this setting (default) | All websites, including intranet sites, open in Microsoft Edge. |
-|
+| Enable | All intranet sites are opened in Internet Explorer 11 automatically. |
+| Disable or do not configure (default) | All websites, including intranet sites, open in Microsoft Edge. |
### Set default search engine
>*Supported versions: Windows 10, version 1703*
@@ -361,10 +331,10 @@ For more info, see the [Microsoft browser extension policy](http://aka.ms/browse
| If you… | Then… |
| --- | --- |
-| Enable this setting | To set a default search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:
`https://fabrikam.com/opensearch.xml` |
-| Disable this setting | The policy-set default search engine is removed. If this is also the current in-use default, the search engine changes to the Microsoft Edge specified engine for the market . |
-| Do not configure this setting | The default search engine is set to the one specified in App settings. |
-|
+| Enable | To set a default search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:
`https://fabrikam.com/opensearch.xml` |
+| Disable | The policy-set default search engine is removed. If this is also the current in-use default, the search engine changes to the Microsoft Edge specified engine for the market . |
+| Do not configure | The default search engine is set to the one specified in App settings. |
+
>[!Important]
>If you'd like your employees to use the default Microsoft Edge settings for each market , you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING.
@@ -374,9 +344,8 @@ For more info, see the [Microsoft browser extension policy](http://aka.ms/browse
This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees see an additional page. |
-| Disable or do not configure this setting (default) | No additional pages display. |
-|
+| Enable | Employees see an additional page. |
+| Disable or do not configure (default) | No additional pages display. |
## Using Microsoft Intune to manage your Mobile Device Management (MDM) settings for Microsoft Edge
If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page.
@@ -419,7 +388,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Employees can’t use Autofill to complete form fields.
+ - **0.** Employees cannot use Autofill to complete form fields.
- **1 (default).** Employees can use Autofill to complete form fields.
@@ -436,7 +405,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Employees can’t use Microsoft Edge.
+ - **0.** Employees cannot use Microsoft Edge.
- **1 (default).** Employees can use Microsoft Edge.
@@ -506,7 +475,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Employees can’t use Edge Extensions.
+ - **0.** Employees cannot use Edge Extensions.
- **1 (default).** Employees can use Edge Extensions.
@@ -523,7 +492,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Not allowed. Employees can’t use Adobe Flash.
+ - **0.** Not allowed. Employees cannot use Adobe Flash.
- **1 (default).** Allowed. Employees can use Adobe Flash.
@@ -557,7 +526,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Employees can’t use InPrivate browsing.
+ - **0.** Employees cannot use InPrivate browsing.
- **1 (default).** Employees can use InPrivate browsing.
@@ -574,7 +543,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Additional search engines are not allowed and the default can’t be changed in the Address bar.
+ - **0.** Additional search engines are not allowed and the default cannot be changed in the Address bar.
- **1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.
@@ -625,7 +594,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Additional search engines are not allowed and the default can’t be changed in the Address bar.
+ - **0.** Additional search engines are not allowed and the default cannot be changed in the Address bar.
- **1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.
@@ -643,7 +612,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0 (default).** Employees can’t see search suggestions in the Address bar of Microsoft Edge.
+ - **0 (default).** Employees cannot see search suggestions in the Address bar of Microsoft Edge.
- **1.** Employees can see search suggestions in the Address bar of Microsoft Edge.
@@ -1018,7 +987,7 @@ These are additional Windows 10-specific MDM policy settings that work with Mic
- **Allowed values:**
- - **0.** Employees can’t use Cortana on their devices.
+ - **0.** Employees cannot use Cortana on their devices.
- **1 (default).** Employees can use Cortana on their devices.
@@ -1033,9 +1002,9 @@ These are additional Windows 10-specific MDM policy settings that work with Mic
- **Allowed values:**
- - **0.** Employees can’t sync settings between PCs.
+ - **0.** Employees cannot sync settings between PCs.
- **1 (default).** Employees can sync between PCs.
## Related topics
-* [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)
\ No newline at end of file
+* [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)
diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json
index a699361d13..31eafa6401 100644
--- a/browsers/edge/docfx.json
+++ b/browsers/edge/docfx.json
@@ -21,6 +21,9 @@
"ms.topic": "article",
"ms.author": "lizross",
"ms.date": "04/05/2017",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.microsoft-edge"
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 056939a089..b7a205ddd2 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -22,6 +22,9 @@
"ms.technology": "internet-explorer",
"ms.topic": "article",
"ms.date": "04/05/2017",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.internet-explorer"
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
index 91c25a934c..7a67485a17 100644
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@@ -35,6 +35,9 @@
"ms.topic": "article",
"ms.author": "jdecker",
"ms.date": "04/05/2017",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.itpro-hololens"
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 44d24432f7..2c07c79718 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -68,6 +68,9 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
6. On the **Select security details for the provisioning package**, click **Next**.
+ >[WARNING!]
+ >If you encrypt the provisioning package, provisioning the HoloLens device will fail.
+
7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index efa2e4ddcf..d0cb5eb932 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
-ms.date: 02/16/2018
+ms.date: 03/06/2018
ms.localizationpriority: medium
---
@@ -16,11 +16,19 @@ ms.localizationpriority: medium
This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
+## March 2018
+
+New or changed topic | Description
+--- | ---
+[Create and test a device account (Surface Hub)](create-and-test-a-device-account-surface-hub.md) | Added section for account verification and testing, with link to new Surface Hub Hardware Diagnostic app.
+
## February 2018
New or changed topic | Description
--- | ---
[Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md) | Updated instructions for custom settings using Microsoft Intune.
+[Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Updated instructions and scripts.
+| [Online deployment](online-deployment-surface-hub-device-accounts.md) | Updated instructions and scripts.
## January 2018
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index 470db2937e..cc5d233b08 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
-ms.date: 07/27/2017
+ms.date: 03/06/2018
ms.localizationpriority: medium
---
@@ -57,7 +57,9 @@ For detailed steps using PowerShell to provision a device account, choose an opt
If you prefer to use a graphical user interface (UI), some steps can be done using UI instead of PowerShell.
For more information, see [Creating a device account using UI](create-a-device-account-using-office-365.md).
+## Account verification and testing
+There are two methods available that you can use to validate and test a Surface Hub device account: [account verifications scripts](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts) and the [Surface Hub Hardware Diagnostic app](https://www.microsoft.com/store/apps/9nblggh51f2g). The account verification script will validate a previously-created device account using PowerShell from your desktop. The Surface Hub Hardware Diagnostic app is installed on your Surface Hub and provides detailed feedback about signin and communication failures. Both are valuable tools to test newly created device accounts and should be used to ensure optimal account availability.
diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json
index d6a3efaf96..dc151c3165 100644
--- a/devices/surface-hub/docfx.json
+++ b/devices/surface-hub/docfx.json
@@ -24,6 +24,9 @@
"ms.sitesec": "library",
"ms.author": "jdecker",
"ms.date": "05/23/2017",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.surface-hub"
diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index 1281d6ae51..de3ffd59ee 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
-ms.date: 10/20/2017
+ms.date: 02/21/2018
ms.localizationpriority: medium
---
@@ -38,11 +38,11 @@ Use this procedure if you use Exchange on-premises.
-3. Enable the remote mailbox.
+2. Enable the remote mailbox.
Open your on-premises Exchange Management Shell with administrator permissions, and run this cmdlet.
- ```ps1
+ ```PowerShell
Enable-RemoteMailbox 'HUB01@contoso.com' -RemoteRoutingAddress 'HUB01@contoso.com' -Room
```
>[!NOTE]
@@ -54,7 +54,7 @@ Use this procedure if you use Exchange on-premises.
>
>msExchRecipientTypeDetails = 8589934592
-2. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online.
+3. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online.
4. Connect to Microsoft Exchange Online and set some properties for the account in Office 365.
@@ -62,8 +62,8 @@ Use this procedure if you use Exchange on-premises.
The next steps will be run on your Office 365 tenant.
- ```ps1
- Set-ExecutionPolicy Unrestricted
+ ```PowerShell
+ Set-ExecutionPolicy RemoteSigned
$cred=Get-Credential -Message "Please use your Office 365 admin credentials"
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $sess
@@ -77,13 +77,13 @@ Use this procedure if you use Exchange on-premises.
If you haven’t created a compatible policy yet, use the following cmdlet—-this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
- ```ps1
+ ```PowerShell
$easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
```
Once you have a compatible policy, then you will need to apply the policy to the device account.
- ```ps1
+ ```PowerShell
Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id
```
@@ -91,31 +91,44 @@ Use this procedure if you use Exchange on-premises.
Setting Exchange properties on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
- ```ps1
+ ```PowerShell
Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse 'This is a Surface Hub room!'
```
7. Connect to Azure AD.
+ You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command :
+ ```PowerShell
+ Install-Module -Name AzureAD
+ ```
+
You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
- ```ps1
- Connect-MsolService -Credential $cred
+ ```PowerShell
+ Import-Module AzureAD
+ Connect-AzureAD -Credential $cred
```
-
8. Assign an Office 365 license.
The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
+
+ You can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
- Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
+ Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
- Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
-
- ```ps1
- Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation 'US'
- Get-MsolAccountSku
- Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
+ ```PowerShell
+ Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
+
+ Get-AzureADSubscribedSku | Select Sku*,*Units
+ $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
+ $License.SkuId = SkuId You selected
+
+ $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
+ $AssignedLicenses.AddLicenses = $License
+ $AssignedLicenses.RemoveLicenses = @()
+
+ Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses
```
Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-premises](#skype-for-business-on-premises), or [Skype for Business hybrid](#skype-for-business-hybrid).
@@ -144,25 +157,25 @@ The following table lists the Office 365 plans and Skype for Business options.
1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment.
- ```ps1
- Import-Module LyncOnlineConnector
+ ```PowerShell
+ Import-Module SkypeOnlineConnector
$cssess=New-CsOnlineSession -Credential $cred
Import-PSSession $cssess -AllowClobber
```
2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
- ```ps1
+ ```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool 'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName
```
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
- ```ps1
+ ```PowerShell
Get-CsOnlineUser -Identity ‘HUB01@contoso.com’| fl *registrarpool*
```
-2. Assign Skype for Business license to your Surface Hub account.
+3. Assign Skype for Business license to your Surface Hub account.
Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device.
@@ -215,10 +228,10 @@ Use this procedure if you use Exchange online.
Start a remote PowerShell session on a PC and connect to Exchange. Be sure you have the right permissions set to run the associated cmdlets.
- ```ps1
- Set-ExecutionPolicy Unrestricted
+ ```PowerShell
+ Set-ExecutionPolicy RemoteSigned
$cred=Get-Credential -Message "Please use your Office 365 admin credentials"
- $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/ps1-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
+ $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $sess
```
@@ -228,13 +241,13 @@ Use this procedure if you use Exchange online.
If you're changing an existing resource mailbox:
- ```ps1
+ ```PowerShell
Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force)
```
If you’re creating a new resource mailbox:
- ```ps1
+ ```PowerShell
New-Mailbox -MicrosoftOnlineServicesID 'HUB01@contoso.com' -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force)
```
@@ -246,13 +259,13 @@ Use this procedure if you use Exchange online.
If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
- ```ps1
+ ```PowerShell
$easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
```
Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
- ```ps1
+ ```PowerShell
Set-Mailbox 'HUB01@contoso.com' -Type Regular
Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id
Set-Mailbox 'HUB01@contoso.com' -Type Room
@@ -264,7 +277,7 @@ Use this procedure if you use Exchange online.
Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
- ```ps1
+ ```PowerShell
Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
@@ -294,24 +307,38 @@ Use this procedure if you use Exchange online.
7. Connect to Azure AD.
+ You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command :
+
+ ```PowerShell
+ Install-Module -Name AzureAD
+ ```
You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
- ```ps1
- Connect-MsolService -Credential $cred
+ ```PowerShell
+ Import-Module AzureAD
+ Connect-AzureAD -Credential $cred
```
8. Assign an Office 365 license.
The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
- Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
+ Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
- Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
+ Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
- ```ps1
- Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation 'US'
- Get-MsolAccountSku
- Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
+ ```PowerShell
+ Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
+
+ Get-AzureADSubscribedSku | Select Sku*,*Units
+ $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
+ $License.SkuId = SkuId You selected
+
+ $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
+ $AssignedLicenses.AddLicenses = $License
+ $AssignedLicenses.RemoveLicenses = @()
+
+ Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses
```
Next, you enable the device account with [Skype for Business Online](#sfb-online), [Skype for Business on-premises](#sfb-onprem), or [Skype for Business hybrid](#sfb-hybrid).
@@ -323,22 +350,22 @@ In order to enable Skype for Business, your environment will need to meet the [p
1. Start by creating a remote PowerShell session to the Skype for Business online environment from a PC.
- ```
- Import-Module LyncOnlineConnector
+ ```PowerShell
+ Import-Module SkypeOnlineConnector
$cssess=New-CsOnlineSession -Credential $cred
Import-PSSession $cssess -AllowClobber
```
2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
- ```
+ ```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool
'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName
```
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
- ```
+ ```PowerShell
Get-CsOnlineUser -Identity 'HUB01@contoso.com'| fl *registrarpool*
```
@@ -368,7 +395,7 @@ For validation, you should be able to use any Skype for Business client (PC, And
To run this cmdlet, you will need to connect to one of the Skype front-ends. Open the Skype PowerShell and run:
-```
+```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool registrarpoolfqdn -SipAddressType UserPrincipalName
```
@@ -383,7 +410,7 @@ In a hybrid Skype environment, you have to create the user on-premises first, th
In order to have a functional Surface Hub account in a Skype hybrid configuration, create the Skype account as a normal user type account, instead of creating the account as a meetingroom. First follow the Exchange steps - either [online](#exchange-online) or [on-premises](#exchange-on-premises) - and, instead of enabling the user for Skype for Business Online as described, [enable the account](https://technet.microsoft.com/library/gg398711.aspx) on the on-premises Skype server:
-```
+```PowerShell
Enable-CsUser -Identity 'HUB01@contoso.com' -RegistrarPool "registrarpoolfqdn" -SipAddressType UserPrincipalName
```
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index 7e530429bf..238158def7 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub, mobility
author: jdeckerms
ms.author: jdecker
-ms.date: 02/16/2018
+ms.date: 03/07/2018
ms.localizationpriority: medium
---
@@ -24,9 +24,6 @@ Surface Hub has been validated with Microsoft’s first-party MDM providers:
You can also manage Surface Hubs using any third-party MDM provider that can communicate with Windows 10 using the MDM protocol.
->[!NOTE]
->[Azure Active Directory conditional access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access) is not currently available for Surface Hub devices.
-
## Enroll a Surface Hub into MDM
You can enroll your Surface Hubs using bulk or manual enrollment.
@@ -147,7 +144,7 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML\*? |
| --- | --- | --- |---- | --- | --- |
-| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes |
+| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes | No | Yes |
| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 6dc990e855..6a314c317a 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
-ms.date: 08/29/2017
+ms.date: 02/21/2018
ms.localizationpriority: medium
---
@@ -25,7 +25,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
Be sure you have the right permissions set to run the associated cmdlets.
```PowerShell
- Set-ExecutionPolicy Unrestricted
+ Set-ExecutionPolicy RemoteSigned
$org='contoso.microsoft.com'
$cred=Get-Credential admin@$org
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
@@ -70,37 +70,52 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
```
5. Connect to Azure AD.
-
+
+ You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command :
+
+ ```PowerShell
+ Install-Module -Name AzureAD
+ ```
You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
```PowerShell
- Connect-MsolService -Credential $cred
+ Import-Module AzureAD
+ Connect-AzureAD -Credential $cred
```
6. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
```PowerShell
- Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true
+ Set-AzureADUser -ObjectId "HUB01@contoso.com" -PasswordPolicies "DisablePasswordExpiration"
```
7. Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online).
- Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
+ Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
- Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
+ Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
```PowerShell
- Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation "US"
- Get-MsolAccountSku
- Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
+ Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
+
+ Get-AzureADSubscribedSku | Select Sku*,*Units
+ $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
+ $License.SkuId = SkuId You selected
+
+ $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
+ $AssignedLicenses.AddLicenses = $License
+ $AssignedLicenses.RemoveLicenses = @()
+
+ Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses
```
8. Enable the device account with Skype for Business.
+ If the Skype for Business PowerShell module is not installed, [download the Skype for Business Online Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366).
- Start by creating a remote PowerShell session from a PC.
```PowerShell
- Import-Module LyncOnlineConnector
+ Import-Module SkypeOnlineConnector
$cssess=New-CsOnlineSession -Credential $cred
Import-PSSession $cssess -AllowClobber
```
@@ -108,12 +123,13 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
- Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, *alice@contoso.com*):
```PowerShell
- Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool*
+ (Get-CsTenant).TenantPoolExtension
```
OR by setting a variable
```PowerShell
- $strRegistrarPool = (Get-CsOnlineUser -Identity ‘alice@contoso.com’).RegistrarPool
+ $strRegistrarPool = (Get-CsTenant).TenantPoolExtension
+ $strRegistrarPool = $strRegistrarPool[0].Substring($strRegistrarPool[0].IndexOf(':') + 1)
```
- Enable the Surface Hub account with the following cmdlet:
diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md
index c00bb03bbb..b303d0354c 100644
--- a/devices/surface-hub/surface-hub-authenticator-app.md
+++ b/devices/surface-hub/surface-hub-authenticator-app.md
@@ -34,7 +34,7 @@ To let people in your organization sign in to Surface Hub with their phones and
- Surface Hub is set up with either a local or domain-joined account.
-Currently, you cannot use Microsoft Authenticator to sign in to Surface Hubs that are joined to an Active Directory domain or to Azure AD.
+Currently, you cannot use Microsoft Authenticator to sign in to Surface Hubs that are joined to Azure AD.
## Individual prerequisites
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index a12b0c33f7..a374627e4d 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -16,6 +16,7 @@ This topic lists new and updated topics in the Surface documentation library.
|New or changed topic | Description |
| --- | --- |
+|[Surface Dock Updater](surface-dock-updater.md) | Added version 2.12.136.0 information |
|[Microsoft Surface Data Eraser](microsoft-surface-data-eraser.md) | Added version 3.2.46.0 information |
## January 2018
diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json
index 502700db32..86d594455f 100644
--- a/devices/surface/docfx.json
+++ b/devices/surface/docfx.json
@@ -21,6 +21,9 @@
"ms.topic": "article",
"ms.author": "jdecker",
"ms.date": "05/09/2017",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.surface"
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
index eff1dae917..55d7b233dc 100644
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: brecords
-ms.date: 11/03/2017
+ms.date: 02/23/2018
ms.author: jdecker
---
@@ -116,6 +116,22 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app
>[!Note]
>Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater.
+### Version 2.12.136.0
+*Release Date: 29 January 2018*
+
+This version of Surface Dock Updater adds support for the following:
+* Update for Surface Dock Main Chipset Firmware
+* Update for Surface Dock DisplayPort Firmware
+* Improved display stability for external displays when used with Surface Book or Surface Book 2
+
+Additionally, installation of this version of Surface Dock Updater on Surface Book devices includes the following:
+* Update for Surface Book Base Firmware
+* Added support for Surface Dock firmware updates with improvements targeted to Surface Book devices
+
+>[!Note]
+>Before the Surface Dock firmware update applied by Surface Dock Updater v2.12.136.0 will take effect on a Surface Book device, a firmware update for the Surface Book Base is required. If you install Surface Dock Updater v2.12.136.0 on a Surface Book and update an attached Surface Dock from that same device, the firmware of the Surface Book Base will automatically be updated when installing the Surface Dock Updater. However, if you update a Surface Dock using Surface Dock Updater v2.12.136.0 on different device, and then connect that Surface Dock to a Surface Book where Surface Dock Updater v2.12.136.0 has not been installed, the benefits of the updated Surface Dock will not be enabled. To enable the benefits of the updated Surface Dock on a Surface Book device, Surface Book Base firmware must also be updated by installing Surface Dock Updater v2.12.136.0 on the Surface Book device. Surface Book Base firmware update is not required on a Surface Book 2 device.
+
+
### Version 2.9.136.0
*Release date: November 3, 2017*
diff --git a/education/docfx.json b/education/docfx.json
index 067964f4d7..c01be28758 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -20,11 +20,14 @@
"audience": "windows-education",
"ms.topic": "article",
"breadcrumb_path": "/education/breadcrumb/toc.json",
- "ms.date": "05/09/2017",
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "Win.education"
- }
+ "ms.date": "05/09/2017",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
+ "_op_documentIdPathDepotMapping": {
+ "./": {
+ "depot_name": "Win.education"
+ }
}
},
"externalReference": [
diff --git a/education/index.md b/education/index.md
index 386a59f34f..1f982844d6 100644
--- a/education/index.md
+++ b/education/index.md
@@ -4,6 +4,7 @@ hide_bc: true
title: Microsoft 365 Education documentation and resources | Microsoft Docs
description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
author: CelesteDG
+ms.topic: hub-page
ms.author: celested
ms.date: 10/30/2017
---
@@ -271,7 +272,7 @@ ms.date: 10/30/2017
-
\ No newline at end of file
+
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
index b932073a8f..d1b54552d1 100644
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ b/education/trial-in-a-box/educator-tib-get-started.md
@@ -108,6 +108,7 @@ Microsoft OneNote organizes curriculum and lesson plans for teachers and student
**Try this!**
See how a group project comes together with opportunities to interact with other students and collaborate with peers. This one works best with the digital pen, included with your Trial in a Box.
+When you're not using the pen, just use the magnet to stick it to the left side of the screen until you need it again.
1. On the **Start** menu, click the OneNote shortcut named **Imagine Giza** to open the **Reimagine the Great Pyramid of Giza project**.
2. Take the digital pen out of the box and make notes or draw.
@@ -121,7 +122,7 @@ See how a group project comes together with opportunities to interact with other
- - The Researcher tool from the Insert tab can help find answers.
+ - To find information without leaving OneNote, use the Researcher tool found under the Insert tab.
@@ -153,8 +154,9 @@ Today, we'll explore a Minecraft world through the eyes of a student.
9. Explore the world by using the keys on your keyboard.
* **W** moves forward.
* **A** moves left.
- * **D** moves right.
- * **S** moves backward
+ * **S** moves right.
+ * **D** moves backward.
+
10. Use your mouse as your "eyes". Just move it to look around.
11. For a bird's eye view, double-tap the SPACE BAR. Now press the SPACE BAR to fly higher. And then hold the SHIFT key to safely land.
diff --git a/education/trial-in-a-box/images/onenote_checkmark.PNG b/education/trial-in-a-box/images/onenote_checkmark.PNG
deleted file mode 100644
index fc6cccebc4..0000000000
Binary files a/education/trial-in-a-box/images/onenote_checkmark.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/onenote_checkmark.png b/education/trial-in-a-box/images/onenote_checkmark.png
new file mode 100644
index 0000000000..1d276b4c1d
Binary files /dev/null and b/education/trial-in-a-box/images/onenote_checkmark.png differ
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index ca5709975a..0775c1d4c7 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -8,13 +8,19 @@ ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
ms.author: celested
-ms.date: 11/27/2017
+ms.date: 03/08/2018
---
# Change history for Windows 10 for Education
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+## March 2018
+
+New or changed topic | Description
+--- | ---
+[Reset devices with Windows Automatic Redeployment](windows-automatic-redeployment.md) | Added section for troubleshooting Windows Automatic Redeployment.
+
## November 2017
| New or changed topic | Description |
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 59d779962f..c4c3cbd233 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -1,312 +1,309 @@
----
-title: Set up School PCs app technical reference
-description: Describes the changes that the Set up School PCs app makes to a PC.
-keywords: shared cart, shared PC, school, set up school pcs
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.pagetype: edu
-ms.localizationpriority: high
-author: CelesteDG
-ms.author: celested
-ms.date: 02/02/2018
----
-
-# Technical reference for the Set up School PCs app
-**Applies to:**
-
-- Windows 10
-
-
-
-The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode. The latest Set up School PCs app is available for Windows 10, version 1703 (Creators Update). Set up School PCs also configures school-specific settings and policies, described in this topic.
-
-If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up School PCs app will create a setup file that joins the PC to your Azure Active Directory tenant. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity.
-
-Here's a list of what you get when using the Set up School PCs app in your school.
-
-| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium |
-| --- | :---: | :---: | :---: | :---: |
-| **Fast sign-in** Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X |
-| **Custom Start experience** The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X |
-| **Guest account, no sign-in required** This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X |
-| **School policies** Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X |
-| **Azure AD Join** The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X |
-| **Single sign-on to Office 365** By signing on with student IDs, students have fast access to Office 365 web apps or installed Office apps. | | | X | X |
-| **Take a Test** Configure the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. | | | | X |
-| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD** Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X |
-
-
-> [!NOTE]
-> If your school uses Active Directory, use [Windows Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the Set up School PCs app to set up PCs that are connected to Azure AD.
-
-## Automated Azure AD join
-One of the most important features in Set up School PCs is the ability to create a provisioning package that performs automated Azure AD join. With this feature, you no longer have to spend minutes going through Windows setup, manually connecting to a network, and manually joining your Azure AD domain. With the automated Azure AD join feature in Set up School School PCs, this process is reduced to zero clicks! You can skip all of the Windows setup experience and the OS automatically joins the PC to your Azure AD domain and enrolls it into MDM if you have a MDM provider activated.
-
-To make this as seamless as possible, in your Azure AD tenant:
-- Allow your teacher and other IT staff to join devices to Azure AD so they can sucessfully request an automated Azure AD join token.
-
- In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and in **Users may join devices to Azure AD**, click **Selected** and choose the members you want to enable to join devices to Azure AD.
-
- **Figure 1** - Select the users you want to enable to join devices to Azure AD
-
- 
-
-- Consider creating a special account that uses a username and password that you provide, and which has the rights to join devices if you don't want to add all teachers and IT staff.
- - When teachers or IT staff need to set up PCs, they can use this account in the Set up School PCs app.
- - If you use a service to set up PCs for you, you can give them this special account so they can deliver PCs to you that are already Azure AD joined and ready to be given to a student.
-
-- Turn off multifactor authentication.
-
- In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Require Multi-Factor Auth to join devices** to **No**.
-
- **Figure 2** - Turn off multi-factor authentication in Azure AD
-
- 
-
-- Set the maximum number of devices a user can add to unlimited.
-
- In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Maximum number of devices per user** to **Unlimited**.
-
- **Figure 3** - Set maximum number of devices per user to unlimited
-
- 
-
-- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time.
-
- In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these.
-
- **Figure 4** - Delete the accounts automatically created for the Azure AD tokens
-
- 
-
-- Note that automated Azure AD tokens have expiration dates. Set up School PCs creates them with an expiration date of one month. You will see the specific expiration date for the package in the **Review package summary** page in Set up School PCs.
-
- **Figure 5** - Sample summary page showing the expiration date
-
- 
-
-
-
-
-
-## Information about Windows Update
-
-Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the Set up School PCs app, shared PC mode sets the power states and Windows Update to:
-* Wake nightly
-* Check and install updates
-* Forcibly reboot if necessary to finish applying updates
-
-The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. Notfications are also blocked.
-
-## Guidance for accounts on shared PCs
-
-* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
-* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** or **Kiosk** will also be deleted automatically at sign out.
-* On a Windows PC joined to Azure Active Directory:
- * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
- * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
-* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts created through **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** or **Kiosk** selection on the sign-in screen, if enabled, will automatically be deleted at sign-out.
-* If admin accounts are necessary on the PC
- * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
- * Create admin accounts before setting up shared PC mode, or
- * Create exempt accounts before signing out.
-* The account management service supports accounts that are exempt from deletion.
- * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
- * To add the account SID to the registry key using PowerShell:
-
- ```
- $adminName = "LocalAdmin"
- $adminPass = 'Pa$$word123'
- iex "net user /add $adminName $adminPass"
- $user = New-Object System.Security.Principal.NTAccount($adminName)
- $sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
- $sid = $sid.Value;
- New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
- ```
-
-## Custom images
-Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the Set up School PCs provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx).
-
-## Provisioning package details
-
-The Set up School PCs app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx).
-
-### Education customizations set by local MDM policy
-
-- By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud.
-- A custom Start layout, taskbar layout, and lock screen image are set.
-- Prohibits unlocking the PC to developer mode.
-- Prohibits untrusted Microsoft Store apps from being installed.
-- Prohibits students from removing MDM.
-- Prohibits students from adding new provisioning packages.
-- Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs).
-- Sets Windows Update to update nightly.
-
-
-### Uninstalled apps
-
-- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe)
-- Weather (Microsoft.BingWeather_8wekyb3d8bbwe)
-- Tips (Microsoft.Getstarted_8wekyb3d8bbwe)
-- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe)
-- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe)
-- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe)
-- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe)
-- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe)
-- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe)
-
-### Local Group Policies
-
-> [!IMPORTANT]
-> We do not recommend setting additional policies on PCs configured with the Set up School PCs app. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required.
-
-
-
Policy path
-
Policy name
Value
-
-
-
Admin Templates > Control Panel > Personalization
-
-
Prevent enabling lock screen slide show
Enabled
-
-
Prevent changing lock screen and logon image
Enabled
-
-
Admin Templates > System > Power Management > Button Settings
-
-
Select the Power button action (plugged in)
Sleep
-
-
Select the Power button action (on battery)
Sleep
-
-
Select the Sleep button action (plugged in)
Sleep
-
-
Select the lid switch action (plugged in)
Sleep
-
-
Select the lid switch action (on battery)
Sleep
-
-
Admin Templates > System > Power Management > Sleep Settings
-
-
Require a password when a computer wakes (plugged in)
Enabled
-
-
Require a password when a computer wakes (on battery)
Enabled
-
-
Specify the system sleep timeout (plugged in)
5 minutes
-
-
Specify the system sleep timeout (on battery)
5 minutes
-
-
Turn off hybrid sleep (plugged in)
Enabled
-
-
Turn off hybrid sleep (on battery)
Enabled
-
-
Specify the unattended sleep timeout (plugged in)
5 minutes
-
-
Specify the unattended sleep timeout (on battery)
5 minutes
-
-
Allow standby states (S1-S3) when sleeping (plugged in)
Enabled
-
-
Allow standby states (S1-S3) when sleeping (on battery)
Enabled
-
-
Specify the system hibernate timeout (plugged in)
Enabled, 0
-
-
Specify the system hibernate timeout (on battery)
Enabled, 0
-
-
Admin Templates>System>Power Management>Video and Display Settings
Allow users to select when a password is required when resuming from connected standby
Disabled
-
-
Block user from showing account details on sign-in
Enabled
-
-
Admin Templates>System>User Profiles
-
-
Turn off the advertising ID
Enabled
-
-
Admin Templates>Windows Components>Biometrics
-
-
Allow the use of biometrics
Disabled
-
-
Allow users to log on using biometrics
Disabled
-
-
Allow domain users to log on using biometrics
Disabled
-
-
Admin Templates>Windows Components>Cloud Content
-
Do not show Windows Tips
Enabled
-
-
Turn off Microsoft consumer experiences
Enabled
-
-
Admin Templates>Windows Components>Data Collection and Preview Builds
-
-
Toggle user control over Insider builds
Disabled
-
-
Disable pre-release features or settings
Disabled
-
-
Do not show feedback notifications
Enabled
-
-
Allow Telemetry
Basic, 0
-
-
Admin Templates > Windows Components > File Explorer
-
-
Show lock in the user tile menu
Disabled
-
-
Admin Templates > Windows Components > Maintenance Scheduler
-
-
Automatic Maintenance Activation Boundary
*MaintenanceStartTime*
-
-
Automatic Maintenance Random Delay
Enabled, 2 hours
-
-
Automatic Maintenance WakeUp Policy
Enabled
-
-
Admin Templates > Windows Components > OneDrive
-
-
Prevent the usage of OneDrive for file storage
Enabled
-
-
Admin Templates > Windows Components > Windows Hello for Business
-
-
Use phone sign-in
Disabled
-
-
Use Windows Hello for Business
Disabled
-
-
Use biometrics
Disabled
-
-
Windows Settings > Security Settings > Local Policies > Security Options
-
-
Accounts: Block Microsoft accounts
**Note** Microsoft accounts can still be used in apps.
Enabled
-
Interactive logon: Do not display last user name
Enabled
-
-
Interactive logon: Sign-in last interactive user automatically after a system-initiated restart
Disabled
-
-
Shutdown: Allow system to be shut down without having to log on
Enabled
-
-
User Account Control: Behavior of the elevation prompt for standard users
Auto deny
-
-
-
-
-## Use the app
-When you're ready to use the app, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
-
-## Related topics
-
-[Set up Windows devices for education](set-up-windows-10.md)
-
-
-
-
-
+---
+title: Set up School PCs app technical reference
+description: Describes the changes that the Set up School PCs app makes to a PC.
+keywords: shared cart, shared PC, school, set up school pcs
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+ms.localizationpriority: high
+author: CelesteDG
+ms.author: celested
+ms.date: 03/12/2018
+---
+
+# Technical reference for the Set up School PCs app
+**Applies to:**
+
+- Windows 10
+
+
+
+The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode. The latest Set up School PCs app is available for Windows 10, version 1703 (Creators Update). Set up School PCs also configures school-specific settings and policies, described in this topic.
+
+If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up School PCs app will create a setup file that joins the PC to your Azure Active Directory tenant. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity.
+
+Here's a list of what you get when using the Set up School PCs app in your school.
+
+| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium |
+| --- | :---: | :---: | :---: | :---: |
+| **Fast sign-in** Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X |
+| **Custom Start experience** The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X |
+| **Guest account, no sign-in required** This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X |
+| **School policies** Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X |
+| **Azure AD Join** The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X |
+| **Single sign-on to Office 365** By signing on with student IDs, students have fast access to Office 365 web apps or installed Office apps. | | | X | X |
+| **Take a Test** Configure the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. | | | | X |
+| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD** Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X |
+
+
+> [!NOTE]
+> If your school uses Active Directory, use [Windows Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the Set up School PCs app to set up PCs that are connected to Azure AD.
+
+## Automated Azure AD join
+One of the most important features in Set up School PCs is the ability to create a provisioning package that performs automated Azure AD join. With this feature, you no longer have to spend minutes going through Windows setup, manually connecting to a network, and manually joining your Azure AD domain. With the automated Azure AD join feature in Set up School School PCs, this process is reduced to zero clicks! You can skip all of the Windows setup experience and the OS automatically joins the PC to your Azure AD domain and enrolls it into MDM if you have a MDM provider activated.
+
+To make this as seamless as possible, in your Azure AD tenant:
+- Allow your teacher and other IT staff to join devices to Azure AD so they can sucessfully request an automated Azure AD join token.
+
+ In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and in **Users may join devices to Azure AD**, click **Selected** and choose the members you want to enable to join devices to Azure AD.
+
+ **Figure 1** - Select the users you want to enable to join devices to Azure AD
+
+ 
+
+- Consider creating a special account that uses a username and password that you provide, and which has the rights to join devices if you don't want to add all teachers and IT staff.
+ - When teachers or IT staff need to set up PCs, they can use this account in the Set up School PCs app.
+ - If you use a service to set up PCs for you, you can give them this special account so they can deliver PCs to you that are already Azure AD joined and ready to be given to a student.
+
+- Turn off multifactor authentication.
+
+ In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Require Multi-Factor Auth to join devices** to **No**.
+
+ **Figure 2** - Turn off multi-factor authentication in Azure AD
+
+ 
+
+- Set the maximum number of devices a user can add to unlimited.
+
+ In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Maximum number of devices per user** to **Unlimited**.
+
+ **Figure 3** - Set maximum number of devices per user to unlimited
+
+ 
+
+- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time.
+
+ In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these.
+
+ **Figure 4** - Delete the accounts automatically created for the Azure AD tokens
+
+ 
+
+- Note that automated Azure AD tokens have expiration dates. Set up School PCs creates them with an expiration date of one month. You will see the specific expiration date for the package in the **Review package summary** page in Set up School PCs.
+
+ **Figure 5** - Sample summary page showing the expiration date
+
+ 
+
+
+
+
+
+## Information about Windows Update
+
+Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the Set up School PCs app, shared PC mode sets the power states and Windows Update to:
+* Wake nightly
+* Check and install updates
+* Forcibly reboot if necessary to finish applying updates
+
+The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. Notfications are also blocked.
+
+## Guidance for accounts on shared PCs
+
+* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
+* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** or **Kiosk** will also be deleted automatically at sign out.
+* On a Windows PC joined to Azure Active Directory:
+ * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
+ * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
+* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts created through **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** or **Kiosk** selection on the sign-in screen, if enabled, will automatically be deleted at sign-out.
+* If admin accounts are necessary on the PC
+ * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
+ * Create admin accounts before setting up shared PC mode, or
+ * Create exempt accounts before signing out.
+* The account management service supports accounts that are exempt from deletion.
+ * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
+ * To add the account SID to the registry key using PowerShell:
+
+ ```
+ $adminName = "LocalAdmin"
+ $adminPass = 'Pa$$word123'
+ iex "net user /add $adminName $adminPass"
+ $user = New-Object System.Security.Principal.NTAccount($adminName)
+ $sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
+ $sid = $sid.Value;
+ New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
+ ```
+
+## Custom images
+Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the Set up School PCs provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx).
+
+## Provisioning package details
+
+The Set up School PCs app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx).
+
+### Education customizations set by local MDM policy
+
+- By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud.
+- A custom Start layout, taskbar layout, and lock screen image are set.
+- Prohibits unlocking the PC to developer mode.
+- Prohibits untrusted Microsoft Store apps from being installed.
+- Prohibits students from removing MDM.
+- Prohibits students from adding new provisioning packages.
+- Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs).
+- Sets Windows Update to update nightly.
+
+
+### Uninstalled apps
+
+- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe)
+- Weather (Microsoft.BingWeather_8wekyb3d8bbwe)
+- Tips (Microsoft.Getstarted_8wekyb3d8bbwe)
+- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe)
+- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe)
+- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe)
+- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe)
+- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe)
+- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe)
+
+### Local Group Policies
+
+> [!IMPORTANT]
+> We do not recommend setting additional policies on PCs configured with the Set up School PCs app. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required.
+
+
+
Policy path
+
Policy name
Value
+
+
+
Admin Templates > Control Panel > Personalization
+
+
Prevent enabling lock screen slide show
Enabled
+
+
Prevent changing lock screen and logon image
Enabled
+
+
Admin Templates > System > Power Management > Button Settings
+
+
Select the Power button action (plugged in)
Sleep
+
+
Select the Power button action (on battery)
Sleep
+
+
Select the Sleep button action (plugged in)
Sleep
+
+
Select the lid switch action (plugged in)
Sleep
+
+
Select the lid switch action (on battery)
Sleep
+
+
Admin Templates > System > Power Management > Sleep Settings
+
+
Require a password when a computer wakes (plugged in)
Enabled
+
+
Require a password when a computer wakes (on battery)
Enabled
+
+
Specify the system sleep timeout (plugged in)
5 minutes
+
+
Specify the system sleep timeout (on battery)
5 minutes
+
+
Turn off hybrid sleep (plugged in)
Enabled
+
+
Turn off hybrid sleep (on battery)
Enabled
+
+
Specify the unattended sleep timeout (plugged in)
5 minutes
+
+
Specify the unattended sleep timeout (on battery)
5 minutes
+
+
Allow standby states (S1-S3) when sleeping (plugged in)
Enabled
+
+
Allow standby states (S1-S3) when sleeping (on battery)
Enabled
+
+
Specify the system hibernate timeout (plugged in)
Enabled, 0
+
+
Specify the system hibernate timeout (on battery)
Enabled, 0
+
+
Admin Templates>System>Power Management>Video and Display Settings
Allow users to select when a password is required when resuming from connected standby
Disabled
+
+
Block user from showing account details on sign-in
Enabled
+
+
Admin Templates>System>User Profiles
+
+
Turn off the advertising ID
Enabled
+
+
Admin Templates>Windows Components>Biometrics
+
+
Allow the use of biometrics
Disabled
+
+
Allow users to log on using biometrics
Disabled
+
+
Allow domain users to log on using biometrics
Disabled
+
+
Admin Templates>Windows Components>Cloud Content
+
Do not show Windows Tips
Enabled
+
+
Turn off Microsoft consumer experiences
Enabled
+
+
Admin Templates>Windows Components>Data Collection and Preview Builds
+
+
Toggle user control over Insider builds
Disabled
+
+
Disable pre-release features or settings
Disabled
+
+
Do not show feedback notifications
Enabled
+
+
Allow Telemetry
Basic, 0
+
+
Admin Templates > Windows Components > File Explorer
+
+
Show lock in the user tile menu
Disabled
+
+
Admin Templates > Windows Components > Maintenance Scheduler
+
+
Automatic Maintenance Activation Boundary
*MaintenanceStartTime*
+
+
Automatic Maintenance Random Delay
Enabled, 2 hours
+
+
Automatic Maintenance WakeUp Policy
Enabled
+
+
Admin Templates > Windows Components > OneDrive
+
+
Prevent the usage of OneDrive for file storage
Enabled
+
+
Admin Templates > Windows Components > Windows Hello for Business
+
+
Use phone sign-in
Disabled
+
+
Use Windows Hello for Business
Disabled
+
+
Use biometrics
Disabled
+
+
Windows Settings > Security Settings > Local Policies > Security Options
+
+
Accounts: Block Microsoft accounts
**Note** Microsoft accounts can still be used in apps.
Enabled
+
Interactive logon: Do not display last user name
Enabled
+
+
Interactive logon: Sign-in last interactive user automatically after a system-initiated restart
Disabled
+
User Account Control: Behavior of the elevation prompt for standard users
Auto deny
+
+
+
+
+## Use the app
+When you're ready to use the app, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
+
+## Related topics
+
+[Set up Windows devices for education](set-up-windows-10.md)
+
+
+
+
+
diff --git a/education/windows/windows-automatic-redeployment.md b/education/windows/windows-automatic-redeployment.md
index cbeaace1d6..f65d87c10f 100644
--- a/education/windows/windows-automatic-redeployment.md
+++ b/education/windows/windows-automatic-redeployment.md
@@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
-ms.date: 12/11/2017
+ms.date: 03/08/2018
---
# Reset devices with Windows Automatic Redeployment
@@ -25,6 +25,9 @@ To enable Windows Automatic Redeployment in Windows 10, version 1709 (Fall Creat
2. [Trigger a reset for each device](#trigger-windows-automatic-redeployment)
## Enable Windows Automatic Redeployment
+
+To use Windows Automatic Redeployment, [Windows Recovery Environment (WinRE) must be enabled on the device](#winre).
+
**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Windows Automatic Redeployment. It is a policy node in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This ensures that Windows Automatic Redeployment isn't triggered by accident.
You can set the policy using one of these methods:
@@ -84,6 +87,25 @@ Windows Automatic Redeployment is a two-step process: trigger it and then authen
Once provisioning is complete, the device is again ready for use.
+
+## Troubleshoot Windows Automatic Redeployment
+
+Windows Automatic Redeployment will fail when the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is not enabled on the device. You will see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`.
+
+To check if WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
+
+```
+reagent /info
+```
+
+If WinRE is not enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
+
+```
+reagent /enable
+```
+
+If Windows Automatic Reployment fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance.
+
## Related topics
[Set up Windows devices for education](set-up-windows-10.md)
diff --git a/gdpr/docfx.json b/gdpr/docfx.json
index dd5fca1462..d426f781dc 100644
--- a/gdpr/docfx.json
+++ b/gdpr/docfx.json
@@ -31,7 +31,10 @@
"externalReference": [],
"globalMetadata": {
"author": "eross-msft",
- "ms.author": "lizross"
+ "ms.author": "lizross",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app"
},
"fileMetadata": {},
"template": [],
diff --git a/mdop/docfx.json b/mdop/docfx.json
index a9a41d5222..a6ff6398ef 100644
--- a/mdop/docfx.json
+++ b/mdop/docfx.json
@@ -22,6 +22,9 @@
"ms.topic": "article",
"ms.author": "jamiet",
"ms.date": "04/05/2017",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.mdop"
diff --git a/mdop/uev-v1/deploying-the-ue-v-agent.md b/mdop/uev-v1/deploying-the-ue-v-agent.md
index df6cebfaaa..8656b04ed5 100644
--- a/mdop/uev-v1/deploying-the-ue-v-agent.md
+++ b/mdop/uev-v1/deploying-the-ue-v-agent.md
@@ -82,7 +82,8 @@ The Microsoft User Experience Virtualization (UE-V) agent must run on each compu
CEIPEnabled
Specifies the setting for participation in the Customer Experience Improvement program. If set to true, then installer information is uploaded to the Microsoft Customer Experience Improvement Program site. If set to false, then no information is uploaded.
True | False
-
Default: False
+
Default: False
+
On Windows 7: True
diff --git a/smb/docfx.json b/smb/docfx.json
index 866b2b152c..181bf75fda 100644
--- a/smb/docfx.json
+++ b/smb/docfx.json
@@ -31,6 +31,9 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/smb/breadcrumb/toc.json",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "TechNet.smb"
diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json
index accb0bcea0..d739d26b28 100644
--- a/store-for-business/docfx.json
+++ b/store-for-business/docfx.json
@@ -37,7 +37,10 @@
"ms.technology": "windows",
"ms.topic": "article",
"ms.date": "05/09/2017",
- "searchScope": ["Store"],
+ "searchScope": ["Store"],
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.store-for-business"
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index a9ee4e4cc8..5fe043b48f 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -13,7 +13,10 @@ ms.date: 04/19/2017
# Performance Guidance for Application Virtualization
**Applies to**
-- Windows 10, version 1607
+- Windows 7 SP1
+- Windows 10
+- Server 2012 R2
+- Server 2016
Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
index 4dd867d228..c404cdd892 100644
--- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
+++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
@@ -6,14 +6,17 @@ ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 03/08/2018
---
# Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
**Applies to**
-- Windows 10, version 1607
+- Windows 7 SP1
+- Windows 10
+- Windows Server 2012 R2
+- Windows Server 2016
You can run a locally installed application in a virtual environment, alongside applications that have been virtualized by using Microsoft Application Virtualization (App-V). You might want to do this if you:
@@ -42,6 +45,7 @@ There is no Group Policy setting available to manage this registry key, so you h
Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages globally or to the user.
+
### Steps to create the subkey
1. Using the information in the following table, create a new registry key using the name of the executable file, for example, **MyApp.exe**.
@@ -79,7 +83,7 @@ Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages glo
If you want to include multiple packages in the virtual environment, you must include them in an enabled connection group.
Create only one subkey for one of the packages in the connection group. If, for example, you have one package that is published globally, and another package that is published to the user, you create a subkey for either of these packages, but not both. Although you create a subkey for only one of the packages, all of the packages in the connection group, plus the local application, will be available in the virtual environment.
The key under which you create the subkey must match the publishing method you used for the package.
-
For example, if you published the package to the user, you must create the subkey under HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual.
+
For example, if you published the package to the user, you must create the subkey under HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual. Do not add a key for the same application under both hives.
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index 285dcee673..7d3ae2dae2 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -37,6 +37,9 @@
"ms.topic": "article",
"ms.author": "elizapo",
"ms.date": "04/05/2017",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-app-management"
diff --git a/windows/application-management/media/cmd-type.png b/windows/application-management/media/cmd-type.png
new file mode 100644
index 0000000000..a6c13e8c7c
Binary files /dev/null and b/windows/application-management/media/cmd-type.png differ
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 69b7933f18..7e6bf874fa 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -67,8 +67,6 @@ In light of these restrictions, you can use the following methods to manage per-
You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). See [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings) for more information.
-device-security/security-policy-settings/administer-security-policy-settings
-
For example:
```
@@ -113,8 +111,8 @@ If a per-user service can't be disabled using a the security template, you can d
### Managing Template Services with reg.exe
-If you cannot use GPP to manage the per-user services you can edit the registry with reg.exe.
-To disable the Template Services change the Startup Type for each service to 4 (disabled).
+If you cannot use Group Policy Preferences to manage the per-user services, you can edit the registry with reg.exe.
+To disable the Template Services, change the Startup Type for each service to 4 (disabled).
For example:
```code
@@ -173,4 +171,10 @@ For example, you might see the following per-user services listed in the Service
- ContactData_443f50
- Sync Host_443f50
- User Data Access_443f50
-- User Data Storage_443f50
\ No newline at end of file
+- User Data Storage_443f50
+
+## View per-user services from the command line
+
+You can query the service configuration from the command line. The **Type** value indicates whether the service is a user-service template or user-service instance.
+
+
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index f649a5d1af..4fc5382798 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -37,6 +37,9 @@
"ms.topic": "article",
"ms.author": "dongill",
"ms.date": "04/05/2017",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-client-management"
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index e77a3132db..675af55231 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -89,7 +89,7 @@ First, you create a default user profile with the customizations that you want,
>
- >Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
+ >Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/en-us/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
5. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges.
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 1ac5a9f388..c29fa0959d 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -155,6 +155,8 @@
#### [Maps DDF](maps-ddf-file.md)
### [Messaging CSP](messaging-csp.md)
#### [Messaging DDF file](messaging-ddf.md)
+### [MultiSIM CSP](multisim-csp.md)
+#### [MultiSIM DDF file](multisim-ddf.md)
### [NAP CSP](nap-csp.md)
### [NAPDEF CSP](napdef-csp.md)
### [NetworkProxy CSP](networkproxy-csp.md)
@@ -178,6 +180,7 @@
#### [ActiveXControls](policy-csp-activexcontrols.md)
#### [ApplicationDefaults](policy-csp-applicationdefaults.md)
#### [ApplicationManagement](policy-csp-applicationmanagement.md)
+#### [AppRuntime](policy-csp-appruntime.md)
#### [AppVirtualization](policy-csp-appvirtualization.md)
#### [AttachmentManager](policy-csp-attachmentmanager.md)
#### [Authentication](policy-csp-authentication.md)
@@ -189,6 +192,7 @@
#### [Cellular](policy-csp-cellular.md)
#### [Connectivity](policy-csp-connectivity.md)
#### [ControlPolicyConflict](policy-csp-controlpolicyconflict.md)
+#### [CredentialsDelegation](policy-csp-credentialsdelegation.md)
#### [CredentialProviders](policy-csp-credentialproviders.md)
#### [CredentialsUI](policy-csp-credentialsui.md)
#### [Cryptography](policy-csp-cryptography.md)
@@ -207,6 +211,7 @@
#### [EventLogService](policy-csp-eventlogservice.md)
#### [Experience](policy-csp-experience.md)
#### [ExploitGuard](policy-csp-exploitguard.md)
+#### [FileExplorer](policy-csp-fileexplorer.md)
#### [Games](policy-csp-games.md)
#### [Handwriting](policy-csp-handwriting.md)
#### [InternetExplorer](policy-csp-internetexplorer.md)
@@ -218,6 +223,8 @@
#### [LockDown](policy-csp-lockdown.md)
#### [Maps](policy-csp-maps.md)
#### [Messaging](policy-csp-messaging.md)
+#### [MSSecurityGuide](policy-csp-mssecurityguide.md)
+#### [MSSLegacy](policy-csp-msslegacy.md)
#### [NetworkIsolation](policy-csp-networkisolation.md)
#### [Notifications](policy-csp-notifications.md)
#### [Power](policy-csp-power.md)
@@ -244,9 +251,11 @@
#### [Update](policy-csp-update.md)
#### [UserRights](policy-csp-userrights.md)
#### [Wifi](policy-csp-wifi.md)
+#### [WindowsConnectionManager](policy-csp-windowsconnectionmanager.md)
#### [WindowsDefenderSecurityCenter](policy-csp-windowsdefendersecuritycenter.md)
#### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md)
#### [WindowsLogon](policy-csp-windowslogon.md)
+#### [WindowsPowerShell](policy-csp-windowspowershell.md)
#### [WirelessDisplay](policy-csp-wirelessdisplay.md)
### [PolicyManager CSP](policymanager-csp.md)
### [Provisioning CSP](provisioning-csp.md)
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index fb0f0a1d5b..b08768dc86 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/03/2017
+ms.date: 03/01/2018
---
# AssignedAccess CSP
@@ -62,7 +62,8 @@ The supported operations are Add, Delete, Get and Replace. When there's no confi
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
> [!Note]
-> You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709.
+> You cannot set both KioskModeApp and Configuration at the same time on the device in Windows 10, version 1709.
+> You cannot set both ShellLauncher and Configuration at the same time on the device.
Enterprises can use this to easily configure and manage the curated lockdown experience.
@@ -70,6 +71,58 @@ Supported operations are Add, Get, Delete, and Replace.
Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout).
+**./Device/Vendor/MSFT/AssignedAccess/Status**
+Added in Windows 10, version 1803. This read only polling node allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to “On” or “OnWithAlerts”. If the StatusConfiguration is “Off”, a node not found error will be reported to the MDM server. Click [link](#status-example) to see an example SyncML. [Here](#assignedaccessalert-xsd) is the schema for the Status payload.
+
+In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible status available for single app kiosk mode.
+
+|Status |Description |
+|---------|---------|---------|
+| KioskModeAppRunning | This means the kiosk app is running normally. |
+| KioskModeAppNotFound | This occurs when the kiosk app is not deployed to the machine. |
+| KioskModeAppActivationFailure | This happens when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. |
+
+Note that status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus.
+
+
+|Status code | KioskModeAppRuntimeStatus |
+|---------|---------|
+| 1 | KioskModeAppRunning |
+| 2 | KioskModeAppNotFound |
+| 3 | KioskModeAppActivationFailure |
+
+
+Additionally, the status payload includes a profileId, which can be used by the MDM server to correlate which kiosk app caused the error.
+
+Supported operation is Get.
+
+**./Device/Vendor/MSFT/AssignedAccess/ShellLauncher**
+Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema.
+
+> [!Note]
+> You cannot set both ShellLauncher and Configuration at the same time on the device.
+>
+> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU.
+
+**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration**
+Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema.
+
+By default the StatusConfiguration node does not exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
+
+Optionally, the MDM server can opt-in to the MDM alert so a MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
+
+This MDM alert header is defined as follows:
+
+- MDMAlertMark: Critical
+- MDMAlertType: "com.microsoft.mdm.assignedaccess.status"
+- MDMAlertDataType: String
+- Source: "./Vendor/MSFT/AssignedAccess"
+- Target: N/A
+
+> [!Note]
+> MDM alert will only be sent for errors.
+
+
## KioskModeApp examples
KioskModeApp Add
@@ -160,32 +213,29 @@ KioskModeApp Replace
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
+ xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
@@ -193,6 +243,10 @@ KioskModeApp Replace
+
+
+
+
@@ -235,22 +289,64 @@ KioskModeApp Replace
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
```
## Example AssignedAccessConfiguration XML
@@ -560,3 +656,480 @@ Example of the Delete command.
```
+
+## StatusConfiguration XSD
+
+``` syntax
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## StatusConfiguration example
+
+StatusConfiguration Add OnWithAlerts
+
+``` syntax
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+ chr
+
+
+
+
+ OnWithAlerts
+
+ ]]>
+
+
+
+
+
+
+```
+
+
+StatusConfiguration Delete
+``` syntax
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+
+
+
+
+```
+
+StatusConfiguration Get
+
+``` syntax
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+
+
+
+
+```
+
+StatusConfiguration Replace On
+
+```syntax
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+ chr
+
+
+
+
+ On
+
+ ]]>
+
+
+
+
+
+
+```
+
+## Status example
+
+Status Get
+``` syntax
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/Status
+
+
+
+
+
+
+```
+
+## ShellLauncherConfiguration XSD
+
+``` syntax
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## ShellLauncherConfiguration examples
+
+ShellLauncherConfiguration Add
+```
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+ chr
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+```
+
+ShellLauncherConfiguration Add AutoLogon
+```
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+ chr
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+```
+
+ShellLauncherConfiguration Get
+```
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+
+
+
+
+```
+
+## AssignedAccessAlert XSD
+
+```syntax
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index 564378ac63..4d6da38792 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 02/22/2018
---
# AssignedAccess DDF
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
@@ -20,7 +23,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-The XML below is for Windows 10, version 1709.
+The XML below is for Windows 10, version 1803.
``` syntax
@@ -48,7 +51,7 @@ The XML below is for Windows 10, version 1709.
- com.microsoft/1.1/MDM/AssignedAccess
+ com.microsoft/2.0/MDM/AssignedAccess
@@ -111,6 +114,84 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
+
+ Status
+
+
+
+
+ This read only node contains kiosk health event xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ShellLauncher
+
+
+
+
+
+
+
+ This node accepts a ShellLauncherConfiguration xml as input. Please check out samples and required xsd on MSDN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ StatusConfiguration
+
+
+
+
+
+
+
+ This node accepts a StatusConfiguration xml as input. Please check out samples and required xsd on MSDN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
```
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index c432bac103..556cb49468 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -798,7 +798,7 @@ The following diagram shows the BitLocker configuration service provider in tree
Allows the Admin to disable the warning prompt for other disk encryption on the user machines.
> [!Important]
-> Starting in Windows 10, next major update, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-overview) for value 0.
+> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-overview) for value 0.
> [!Warning]
> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows.
@@ -826,7 +826,7 @@ The following diagram shows the BitLocker configuration service provider in tree
The following list shows the supported values:
-- 0 – Disables the warning prompt. Starting in Windows 10, next major update, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.
+- 0 – Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.
- 1 (default) – Warning prompt allowed.
``` syntax
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index e81ff53e92..22bb311265 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -14,9 +14,6 @@ ms.date: 08/02/2017
The CM\_CellularEntries configuration service provider is used to configure the General Packet Radio Service (GPRS) entries on the device. It defines each GSM data access point.
-> [!Note]
-> Starting in the next major update to Windows 10, the CM\_CellularEntries CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
-
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 5a601e0ca8..3764a9326f 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 02/02/2018
+ms.date: 03/12/2018
---
# Configuration service provider reference
@@ -1127,6 +1127,34 @@ Footnotes:
+
+[eUICCs CSP](euiccs-csp.md)
+
+
+
@@ -2453,7 +2509,7 @@ Footnotes:
Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
-- 3 - Added in the next major update to Windows 10
+- 3 - Added in Windows 10, version 1803
## CSP DDF files download
@@ -2540,6 +2596,7 @@ Footnotes:
- [Reporting CSP](reporting-csp.md)
- [RootCATrustedCertificates CSP](rootcacertificates-csp.md)
- [SurfaceHub CSP](surfacehub-csp.md)
+- [UEFI CSP](uefi-csp.md)
- [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index bcab5ce598..b2c82ca8e5 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -314,7 +314,7 @@ Node that can be used to perform signature updates for Windows Defender.
Supported operations are Get and Execute.
**OfflineScan**
-Added in Windows 10, next major update. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. This command causes the computer reboot and start in Windows Defender offline mode to begin the scan.
+Added in Windows 10, version 1803. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. This command causes the computer reboot and start in Windows Defender offline mode to begin the scan.
Supported operations are Get and Execute.
diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md
index 4057384f64..de3145a84f 100644
--- a/windows/client-management/mdm/developersetup-csp.md
+++ b/windows/client-management/mdm/developersetup-csp.md
@@ -1,6 +1,6 @@
---
title: DeveloperSetup CSP
-description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the next major update of Windows 10.
+description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the Windows 10, version 1703.
ms.assetid:
ms.author: maricia
ms.topic: article
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index df99bcf53d..25e45dfb80 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/12/2018
---
# DeviceStatus CSP
@@ -132,6 +132,15 @@ Added in Windows, version 1607. String that specifies the OS edition.
Supported operation is Get.
+**DeviceStatus/OS/Mode**
+Added in Windows, version 1803. Read only node that specifies the device mode.
+
+Valid values:
+- 0 - the device is in standard configuration
+- 1 - the device is in S mode configuration
+
+Supported operation is Get.
+
**DeviceStatus/Antivirus**
Added in Windows, version 1607. Node for the antivirus query.
diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md
index 08187de0a3..7e4a7a5933 100644
--- a/windows/client-management/mdm/devicestatus-ddf.md
+++ b/windows/client-management/mdm/devicestatus-ddf.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 03/12/2018
---
# DeviceStatus DDF
@@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **DeviceS
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, version 1709.
+The XML below is for Windows 10, version 1803.
``` syntax
@@ -469,6 +469,27 @@ The XML below is for Windows 10, version 1709.
+
+ Mode
+
+
+
+
+ Not available
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Antivirus
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index e69e71e093..4de7bc9cc1 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -261,7 +261,7 @@ Optional. Number of days after last sucessful sync to unenroll.
Supported operations are Add, Delete, Get, and Replace. Value type is integer.
**Provider/*ProviderID*/AADSendDeviceToken**
-Device. Added in Windows 10 next major update. For AZure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained.
+Device. Added in Windows 10 version 1803. For AZure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
@@ -713,27 +713,27 @@ Required. Added in Windows 10, version 1709. Integer node determining if a devic
Supported operations are Get and Replace. Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
-Required. Device Only. Added in Windows 10, next major update. This node determines whether or not the MDM progress page is blocking in the Azure AD joined or DJ++ case, as well as which remediation options are available.
+Required. Device Only. Added in Windows 10, version 1803. This node determines whether or not the MDM progress page is blocking in the Azure AD joined or DJ++ case, as well as which remediation options are available.
Supported operations are Get and Replace. Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
-Required. Added in Windows 10, next major update. This node decides whether or not the MDM progress page displays the Collect Logs button.
+Required. Added in Windows 10, version 1803. This node decides whether or not the MDM progress page displays the Collect Logs button.
Supported operations are Get and Replace. Value type is bool.
**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
-Required. Added in Windows 10, next major update. This node allows the MDM to set custom error text, detailing what the user needs to do in case of error.
+Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do in case of error.
Supported operations are Add, Get, Delete, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
-Required. Device only. Added in Windows 10, next major update. This node decides wheter or not the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
+Required. Device only. Added in Windows 10, version 1803. This node decides wheter or not the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
Supported operations are Get and Replace. Value type is bool.
**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
-Required. Device only. Added in Windows 10, next major update. This node decides wheter or not the MDM user progress page skips after Azure AD joined or DJ++ after user login.
+Required. Device only. Added in Windows 10, version 1803. This node decides wheter or not the MDM user progress page skips after Azure AD joined or DJ++ after user login.
Supported operations are Get and Replace. Value type is bool.
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index 51a46a8897..fda5ae3f82 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -20,7 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **DMClien
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, next major update.
+The XML below is for Windows 10, version 1803.
``` syntax
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index beaaf83a87..3cbe681524 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -297,4 +297,14 @@ The \ payload is empty. Here an example to set AppVirtualization/Publishin
-```
\ No newline at end of file
+```
+
+## Video walkthrough
+
+Here is a video of how to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune.
+
+> [!VIDEO https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121]
+
+Here is a video of how to import a custom ADMX file to a device using Intune.
+
+> [!VIDEO https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73]
\ No newline at end of file
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index 5062ee119e..2ad3ca1434 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -7,11 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/22/2017
+ms.date: 03/01/2018
---
# EnterpriseModernAppManagement CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
> [!Note]
@@ -359,6 +363,20 @@ The following image shows the EnterpriseModernAppManagement configuration servic
```
+**.../*PackageFamilyName*/MaintainProcessorArchitectureOnUpdate**
+Added in Windows 10, version 1803. Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
+Supported operations are Add, Get, Delete, and Replace. Value type is integer.
+
+Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
+
+|Applicability Setting |CSP state |Result |
+|---------|---------|---------|
+|True |Not configured |X86 flavor is picked |
+|True |Enabled |X86 flavor is picked |
+|True |Disabled |X86 flavor is picked |
+|False (not set) |Not configured |X64 flavor is picked |
+
**AppInstallation**
diff --git a/windows/client-management/mdm/images/Provisioning_CSP_DMClient_TH2.png b/windows/client-management/mdm/images/Provisioning_CSP_DMClient_TH2.png
new file mode 100644
index 0000000000..28ae086ef7
Binary files /dev/null and b/windows/client-management/mdm/images/Provisioning_CSP_DMClient_TH2.png differ
diff --git a/windows/client-management/mdm/images/Provisioning_CSP_Defender.png b/windows/client-management/mdm/images/Provisioning_CSP_Defender.png
new file mode 100644
index 0000000000..6ee31a8f16
Binary files /dev/null and b/windows/client-management/mdm/images/Provisioning_CSP_Defender.png differ
diff --git a/windows/client-management/mdm/images/Provisioning_CSP_RemoteWipe_DMandCP.png b/windows/client-management/mdm/images/Provisioning_CSP_RemoteWipe_DMandCP.png
new file mode 100644
index 0000000000..f7d21f0a94
Binary files /dev/null and b/windows/client-management/mdm/images/Provisioning_CSP_RemoteWipe_DMandCP.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png
index c8db9ee059..663f449910 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png and b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-defender.png b/windows/client-management/mdm/images/provisioning-csp-defender.png
index 8d34e77eb9..4d90f1b6f2 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-defender.png and b/windows/client-management/mdm/images/provisioning-csp-defender.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-devicestatus.png b/windows/client-management/mdm/images/provisioning-csp-devicestatus.png
index 76c746d95f..520d58a825 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-devicestatus.png and b/windows/client-management/mdm/images/provisioning-csp-devicestatus.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png
index 486779f038..28ae086ef7 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png and b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png
index b834990924..a28f41fe6a 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-euiccs.png b/windows/client-management/mdm/images/provisioning-csp-euiccs.png
index a4c67a8b7e..387fdae3fb 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-euiccs.png and b/windows/client-management/mdm/images/provisioning-csp-euiccs.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-multisim.png b/windows/client-management/mdm/images/provisioning-csp-multisim.png
new file mode 100644
index 0000000000..86473079f4
Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-multisim.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png
index c6e1215e4d..8a01ad0dff 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-update.png b/windows/client-management/mdm/images/provisioning-csp-update.png
index d98b7fcea1..e88466a113 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-update.png and b/windows/client-management/mdm/images/provisioning-csp-update.png differ
diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md
new file mode 100644
index 0000000000..9467b896ff
--- /dev/null
+++ b/windows/client-management/mdm/multisim-csp.md
@@ -0,0 +1,58 @@
+---
+title: MultiSIM CSP
+description: MultiSIM CSP allows the enterprise to manage devices with dual SIM single active configuration.
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 02/27/2018
+---
+
+# MultiSIM CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. This CSP was added in Windows 10, version 1803.
+
+
+The following diagram shows the MultiSIM configuration service provider in tree format.
+
+
+
+**./Device/Vendor/MSFT/MultiSIM**
+Root node.
+
+**_ModemID_**
+Node representing a Mobile Broadband Modem. The node name is the modem ID. Modem ID is a GUID without curly braces, with exception of "Embedded" which represents the embedded modem.
+
+**_ModemID_/Identifier**
+Modem ID.
+
+**_ModemID_/IsEmbedded**
+Indicates whether this modem is embedded or external.
+
+**_ModemID_/Slots**
+Represents all SIM slots in the Modem.
+
+**_ModemID_/Slots/_SlotID_**
+Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format is "0", "1", etc., with exception of "Embedded" which represents the embedded Slot.
+
+**_ModemID_/Slots/_SlotID_/Identifier**
+Slot ID.
+
+**_ModemID_/Slots/_SlotID_/IsEmbedded**
+Indicates whether this Slot is embedded or a physical SIM slot.
+
+**_ModemID_/Slots/_SlotID_/IsSelected**
+Indicates whether this Slot is selected or not.
+
+**_ModemID_/Slots/_SlotID_/State**
+Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8)
+
+**_ModemID_/Policies**
+Policies associated with the Modem.
+
+**_ModemID_/Policies/SlotSelectionEnabled**
+Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
\ No newline at end of file
diff --git a/windows/client-management/mdm/multisim-ddf.md b/windows/client-management/mdm/multisim-ddf.md
new file mode 100644
index 0000000000..ccdbecbaee
--- /dev/null
+++ b/windows/client-management/mdm/multisim-ddf.md
@@ -0,0 +1,291 @@
+---
+title: MultiSIM DDF file
+description: XML file containing the device description framework
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 02/27/2018
+---
+
+# MultiSIM CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic shows the OMA DM device description framework (DDF) for the **MultiSIM** configuration service provider.
+
+The XML below is for Windows 10, version 1803.
+
+``` syntax
+
+]>
+
+ 1.2
+
+ MultiSIM
+ ./Device/Vendor/MSFT
+
+
+
+
+ Subtree for multi-SIM management.
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.0/MDM/MultiSIM
+
+
+
+
+
+
+
+
+
+ Node representing a Mobile Broadband Modem. The node name is the Modem ID. Modem ID is a GUID without curly braces, with exception of "Embedded" which represents the embedded Modem.
+
+
+
+
+
+
+
+
+
+ ModemID
+
+
+
+
+
+ Identifier
+
+
+
+
+ Modem ID.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsEmbedded
+
+
+
+
+ Indicates whether this Modem is embedded or external.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Slots
+
+
+
+
+ Represents all SIM slots in the Modem.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format is "0", "1", etc., with exception of "Embedded" which represents the embedded Slot.
+
+
+
+
+
+
+
+
+
+ SlotID
+
+
+
+
+
+ Identifier
+
+
+
+
+ Slot ID.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsEmbedded
+
+
+
+
+ Indicates whether this Slot is embedded or a physical SIM slot.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsSelected
+
+
+
+
+
+ Indicates whether this Slot is selected or not.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ State
+
+
+
+
+ Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8)
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+ Policies
+
+
+
+
+ Policies associated with the Modem.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SlotSelectionEnabled
+
+
+
+
+
+ true
+ Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 8fdf97effb..375d058557 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 02/05/2018
+ms.date: 03/03/2018
---
# What's new in MDM enrollment and management
@@ -1389,6 +1389,45 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
+### March 2018
+
+
+
+
+
+
+
+
+
New or updated topic
+
Description
+
+
+
+
+
[eUICCs CSP](euiccs-csp.md)
+
Added the following node in Windows 10, version 1803:
+
+
IsEnabled
+
+
+
+
[DeviceStatus CSP](devicestatus-csp.md)
+
Added the following node in Windows 10, version 1803:
[How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune](https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121)
+
[How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)
+
+
+
+
+
### February 2018
@@ -1403,10 +1442,50 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
+
Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.
[DMClient CSP](dmclient-csp.md)
-
Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, next major update:
+
Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
AADSendDeviceToken
BlockInStatusPage
@@ -1555,7 +1638,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
[RemoteWipe CSP](remotewipe-csp.md)
-
Added the following nodes in Windows 10, next major update:
+
Added the following nodes in Windows 10, version 1803:
AutomaticRedeployment
doAutomaticRedeployment
@@ -1565,11 +1648,21 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
[Defender CSP](defender-csp.md)
-
Added new node (OfflineScan) in Windows 10, next major update.
+
Added new node (OfflineScan) in Windows 10, version 1803.
[UEFI CSP](uefi-csp.md)
-
Added a new CSP in Windows 10, next major update.
+
Added a new CSP in Windows 10, version 1803.
+
+
+
[Update CSP](update-csp.md)
+
Added the following nodes in Windows 10, version 1803:
+
+
Rollback
+
Rollback/FeatureUpdate
+
Rollback/QualityUpdateStatus
+
Rollback/FeatureUpdateStatus
+
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 07dec60956..c94b2fe9d3 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/12/2018
+ms.date: 03/05/2018
---
# Policy CSP
@@ -95,7 +95,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operations are Add, Get, and Delete.
**Policy/ConfigOperations/ADMXInstall**
-
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed polices for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
+
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
> [!NOTE]
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/en-us/library/cc179097.aspx).
@@ -130,7 +130,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operations are Add and Get. Does not support Delete.
> [!Note]
-> The policies supported in Windows 10 S are the same as those supported in Windows 10 Pro with the exception of the policies under ApplicationDefaults. The ApplicationDefaults polices are not supported in Windows 10 S.
+> The policies supported in Windows 10 S are the same as those supported in Windows 10 Pro with the exception of the policies under ApplicationDefaults. The ApplicationDefaults policies are not supported in Windows 10 S.
## Policies
@@ -498,6 +498,9 @@ The following diagram shows the Policy configuration service provider in tree fo
### TaskScheduler policies
@@ -2811,6 +2827,9 @@ The following diagram shows the Policy configuration service provider in tree fo
### TextInput policies
+
+
+
+
+
+**AppRuntime/AllowMicrosoftAccountsToBeOptional**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it.
+
+If you enable this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
+
+If you disable or do not configure this policy setting, users will need to sign in with a Microsoft account.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow Microsoft accounts to be optional*
+- GP name: *AppxRuntimeMicrosoftAccountsOptional*
+- GP path: *Windows Components/App runtime*
+- GP ADMX file name: *AppXRuntime.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index 5ec36f8881..562a5224dc 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - AppVirtualization
@@ -154,14 +154,14 @@ This policy setting allows you to enable or disable Microsoft Application Virtua
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable App-V Client*
- GP name: *EnableAppV*
- GP path: *System/App-V*
- GP ADMX file name: *appv.admx*
-
+
@@ -212,14 +212,14 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Dynamic Virtualization*
- GP name: *Virtualization_JITVEnable*
- GP path: *System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
-
+
@@ -270,14 +270,14 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable automatic cleanup of unused appv packages*
- GP name: *PackageManagement_AutoCleanupEnable*
- GP path: *System/App-V/PackageManagement*
- GP ADMX file name: *appv.admx*
-
+
@@ -328,14 +328,14 @@ Enables scripts defined in the package manifest of configuration files that shou
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Package Scripts*
- GP name: *Scripting_Enable_Package_Scripts*
- GP path: *System/App-V/Scripting*
- GP ADMX file name: *appv.admx*
-
+
@@ -386,14 +386,14 @@ Enables a UX to display to the user when a publishing refresh is performed on th
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Publishing Refresh UX*
- GP name: *Enable_Publishing_Refresh_UX*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
+
@@ -454,14 +454,14 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Reporting Server*
- GP name: *Reporting_Server_Policy*
- GP path: *System/App-V/Reporting*
- GP ADMX file name: *appv.admx*
-
+
@@ -512,14 +512,14 @@ Specifies the file paths relative to %userprofile% that do not roam with a user'
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Roaming File Exclusions*
- GP name: *Integration_Roaming_File_Exclusions*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
+
@@ -570,14 +570,14 @@ Specifies the registry paths that do not roam with a user profile. Example usage
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Roaming Registry Exclusions*
- GP name: *Integration_Roaming_Registry_Exclusions*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
+
@@ -628,14 +628,14 @@ Specifies how new packages should be loaded automatically by App-V on a specific
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify what to load in background (aka AutoLoad)*
- GP name: *Steaming_Autoload*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -686,14 +686,14 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Migration Mode*
- GP name: *Client_Coexistence_Enable_Migration_mode*
- GP path: *System/App-V/Client Coexistence*
- GP ADMX file name: *appv.admx*
-
+
@@ -744,14 +744,14 @@ Specifies the location where symbolic links are created to the current version o
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Integration Root User*
- GP name: *Integration_Root_User*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
+
@@ -802,14 +802,14 @@ Specifies the location where symbolic links are created to the current version o
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Integration Root Global*
- GP name: *Integration_Root_Global*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
+
@@ -878,14 +878,14 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 1 Settings*
- GP name: *Publishing_Server1_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
+
@@ -954,14 +954,14 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 2 Settings*
- GP name: *Publishing_Server2_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
+
@@ -1030,14 +1030,14 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 3 Settings*
- GP name: *Publishing_Server3_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
+
@@ -1106,14 +1106,14 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 4 Settings*
- GP name: *Publishing_Server4_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
+
@@ -1182,14 +1182,14 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 5 Settings*
- GP name: *Publishing_Server5_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
+
@@ -1240,14 +1240,14 @@ Specifies the path to a valid certificate in the certificate store.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Certificate Filter For Client SSL*
- GP name: *Streaming_Certificate_Filter_For_Client_SSL*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1298,14 +1298,14 @@ This setting controls whether virtualized applications are launched on Windows 8
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
- GP name: *Streaming_Allow_High_Cost_Launch*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1356,14 +1356,14 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Location Provider*
- GP name: *Streaming_Location_Provider*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1414,14 +1414,14 @@ Specifies directory where all new applications and updates will be installed.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Package Installation Root*
- GP name: *Streaming_Package_Installation_Root*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1472,14 +1472,14 @@ Overrides source location for downloading package content.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Package Source Root*
- GP name: *Streaming_Package_Source_Root*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1530,14 +1530,14 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Reestablishment Interval*
- GP name: *Streaming_Reestablishment_Interval*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1588,14 +1588,14 @@ Specifies the number of times to retry a dropped session.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Reestablishment Retries*
- GP name: *Streaming_Reestablishment_Retries*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1646,14 +1646,14 @@ Specifies that streamed package contents will be not be saved to the local hard
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Shared Content Store (SCS) mode*
- GP name: *Streaming_Shared_Content_Store_Mode*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1704,14 +1704,14 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Support for BranchCache*
- GP name: *Streaming_Support_Branch_Cache*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1762,14 +1762,14 @@ Verifies Server certificate revocation status before streaming using HTTPS.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Verify certificate revocation list*
- GP name: *Streaming_Verify_Certificate_Revocation_List*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1820,14 +1820,14 @@ Specifies a list of process paths (may contain wildcards) which are candidates f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Virtual Component Process Allow List*
- GP name: *Virtualization_JITVAllowList*
- GP path: *System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
-
+
@@ -1836,6 +1836,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index 3cd9a8202d..7b97a87a4b 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - AttachmentManager
@@ -85,14 +85,14 @@ If you do not configure this policy setting, Windows marks file attachments with
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not preserve zone information in file attachments*
- GP name: *AM_MarkZoneOnSavedAtttachments*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
-
+
@@ -149,14 +149,14 @@ If you do not configure this policy setting, Windows hides the check box and Unb
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Hide mechanisms to remove zone information*
- GP name: *AM_RemoveZoneInfo*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
-
+
@@ -197,7 +197,7 @@ ADMX Info:
-This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
+This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
@@ -213,14 +213,14 @@ If you do not configure this policy setting, Windows does not call the registere
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Notify antivirus programs when opening attachments*
- GP name: *AM_CallIOfficeAntiVirus*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
-
+
@@ -229,6 +229,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 881ae7ff19..f83bb3905c 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Authentication
@@ -286,6 +286,14 @@ Added in Windows 10, version 1607. Allows secondary authentication devices to w
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
+
+ADMX Info:
+- GP English name: *Allow companion device for secondary authentication*
+- GP name: *MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice*
+- GP path: *Windows Components/Microsoft Secondary Authentication Factor*
+- GP ADMX file name: *DeviceCredential.admx*
+
+
The following list shows the supported values:
@@ -301,6 +309,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index ea02a39c19..c748e76ae7 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Autoplay
@@ -84,14 +84,14 @@ If you disable or do not configure this policy setting, AutoPlay is enabled for
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Autoplay for non-volume devices*
- GP name: *NoAutoplayfornonVolume*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
-
+
@@ -156,14 +156,14 @@ If you disable or not configure this policy setting, Windows Vista or later will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set the default behavior for AutoRun*
- GP name: *NoAutorun*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
-
+
@@ -229,14 +229,14 @@ Note: This policy setting appears in both the Computer Configuration and User Co
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Autoplay*
- GP name: *Autorun*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
-
+
@@ -245,6 +245,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index 852a915bac..fa358dcb81 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Bitlocker
@@ -114,6 +114,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 3a6b797bf3..fb08f30dc0 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Bluetooth
@@ -293,6 +293,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index da6abdd0ee..79d91ff2dc 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/31/2018
+ms.date: 03/13/2018
---
# Policy CSP - Browser
@@ -117,6 +117,9 @@ ms.date: 01/31/2018
@@ -188,6 +191,14 @@ Added in Windows 10, version 1703. Specifies whether to allow the address bar dr
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Address bar drop-down list suggestions*
+- GP name: *AllowAddressBarDropdown*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -241,6 +252,14 @@ Specifies whether autofill on websites is allowed.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Configure Autofill*
+- GP name: *AllowAutofill*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -366,14 +385,7 @@ The following list shows the supported values:
- 0 - Disable. Microsoft Edge cannot retrieve a configuration
- 1 - Enable (default). Microsoft Edge can retrieve a configuration for Books Library
-
-
-
-
-
-
-
@@ -421,6 +433,15 @@ Specifies whether cookies are allowed.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Configure cookies*
+- GP name: *Cookies*
+- GP element: *CookiesListBox*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -487,6 +508,14 @@ Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turni
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Developer Tools*
+- GP name: *AllowDeveloperTools*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -540,6 +569,14 @@ Specifies whether Do Not Track headers are allowed.
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Configure Do Not Track*
+- GP name: *AllowDoNotTrack*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -600,6 +637,14 @@ To verify AllowDoNotTrack is set to 0 (not allowed):
Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.
+
+ADMX Info:
+- GP English name: *Allow Extensions*
+- GP name: *AllowExtensions*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -651,6 +696,14 @@ The following list shows the supported values:
Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge.
+
+ADMX Info:
+- GP English name: *Allow Adobe Flash*
+- GP name: *AllowFlash*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -702,6 +755,14 @@ The following list shows the supported values:
Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
+
+ADMX Info:
+- GP English name: *Configure the Adobe Flash Click-to-Run setting*
+- GP name: *AllowFlashClickToRun*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -755,6 +816,14 @@ Specifies whether InPrivate browsing is allowed on corporate networks.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow InPrivate browsing*
+- GP name: *AllowInPrivate*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -811,6 +880,14 @@ If you enable or don’t configure this setting, Microsoft Edge periodically dow
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Microsoft Compatibility List*
+- GP name: *AllowCVList*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -864,6 +941,14 @@ Specifies whether saving and managing passwords locally on the device is allowed
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Configure Password Manager*
+- GP name: *AllowPasswordManager*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -926,6 +1011,14 @@ Specifies whether pop-up blocker is allowed or enabled.
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Configure Pop-up Blocker*
+- GP name: *AllowPopups*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -990,6 +1083,14 @@ If this setting is turned on or not configured, users can add new search engines
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow search engine customization*
+- GP name: *AllowSearchEngineCustomization*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1043,6 +1144,14 @@ Specifies whether search suggestions are allowed in the address bar.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Configure search suggestions in Address bar*
+- GP name: *AllowSearchSuggestionsinAddressBar*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1096,6 +1205,14 @@ Specifies whether Windows Defender SmartScreen is allowed.
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Configure Windows Defender SmartScreen*
+- GP name: *AllowSmartScreen*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1156,6 +1273,14 @@ To verify AllowSmartScreen is set to 0 (not allowed):
Added in Windows 10, next majot update. Always show the Books Library in Microsoft Edge
+
+ADMX Info:
+- GP English name: *Always show the Books Library in Microsoft Edge*
+- GP name: *AlwaysEnableBooksLibrary*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1209,6 +1334,14 @@ Added in Windows 10, version 1703. Specifies whether to clear browsing data on e
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Allow clearing browsing data on exit*
+- GP name: *AllowClearingBrowsingDataOnExit*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1279,6 +1412,15 @@ If this setting is not configured, the search engines used are the ones that are
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Configure additional search engines*
+- GP name: *ConfigureAdditionalSearchEngines*
+- GP element: *ConfigureAdditionalSearchEngines_Prompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1338,6 +1480,14 @@ Added in Windows 10, version 1703. Boolean value that specifies whether the lock
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Disable lockdown of Start pages*
+- GP name: *DisableLockdownOfStartPages*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1391,6 +1541,14 @@ This policy setting lets you decide how much data to send to Microsoft about the
If you enable this setting, Microsoft Edge sends additional diagnostic data, on top of the basic diagnostic data, from the Books tab. If you disable or don't configure this setting, Microsoft Edge only sends basic diagnostic data, depending on your device configuration.
+
+ADMX Info:
+- GP English name: *Allow extended telemetry for the Books tab*
+- GP name: *EnableExtendedBooksTelemetry*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1446,6 +1604,15 @@ The following list shows the supported values:
Allows the user to specify an URL of an enterprise site list.
+
+ADMX Info:
+- GP English name: *Configure the Enterprise Mode Site List*
+- GP name: *EnterpriseModeSiteList*
+- GP element: *EnterSiteListPrompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1604,6 +1771,15 @@ Starting in Windows 10, version 1703, if you don’t want to send traffic to Mi
> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
+
+ADMX Info:
+- GP English name: *Configure Start pages*
+- GP name: *HomePages*
+- GP element: *HomePagesPrompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
@@ -1657,6 +1833,14 @@ If you disable or don't configure this setting (default), employees can add, imp
Data type is integer.
+
+ADMX Info:
+- GP English name: *Prevent changes to Favorites on Microsoft Edge*
+- GP name: *LockdownFavorites*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1708,6 +1892,14 @@ The following list shows the supported values:
Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
+
+ADMX Info:
+- GP English name: *Prevent access to the about:flags page in Microsoft Edge*
+- GP name: *PreventAccessToAboutFlagsInMicrosoftEdge*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1761,6 +1953,14 @@ Added in Windows 10, version 1703. Specifies whether to enable or disable the Fi
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Prevent the First Run webpage from opening on Microsoft Edge*
+- GP name: *PreventFirstRunPage*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1814,6 +2014,14 @@ Added in Windows 10, version 1703. Specifies whether Microsoft can collect infor
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start*
+- GP name: *PreventLiveTileDataCollection*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1867,6 +2075,14 @@ Specifies whether users can override the Windows Defender SmartScreen Filter war
Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site.
+
+ADMX Info:
+- GP English name: *Prevent bypassing Windows Defender SmartScreen prompts for sites*
+- GP name: *PreventSmartScreenPromptOverride*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1918,6 +2134,14 @@ The following list shows the supported values:
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
+
+ADMX Info:
+- GP English name: *Prevent bypassing Windows Defender SmartScreen prompts for files*
+- GP name: *PreventSmartScreenPromptOverrideForFiles*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1929,6 +2153,58 @@ The following list shows the supported values:
+
+**Browser/PreventTabPreloading**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. This is only a placeholder. Do not use in production code.
+
+
+
+
+The following list shows the supported values:
+
+- 0 (default) – Allow pre-launch and preload.
+- 1 – Prevent pre-launch and preload.
+
+
+
+
+
+
**Browser/PreventUsingLocalHostIPAddressForWebRTC**
@@ -1973,6 +2249,14 @@ The following list shows the supported values:
Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an user’s localhost IP address while making phone calls using WebRTC.
+
+ADMX Info:
+- GP English name: *Prevent using Localhost IP address for WebRTC*
+- GP name: *HideLocalHostIPAddress*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -2037,6 +2321,15 @@ If you disable or don't configure this setting, employees will see the favorites
Data type is string.
+
+ADMX Info:
+- GP English name: *Provision Favorites*
+- GP name: *ConfiguredFavorites*
+- GP element: *ConfiguredFavoritesPrompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
@@ -2087,6 +2380,14 @@ Specifies whether to send intranet traffic over to Internet Explorer.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Send all intranet sites to Internet Explorer 11*
+- GP name: *SendIntranetTraffictoInternetExplorer*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -2148,6 +2449,15 @@ If this setting is not configured, the default search engine is set to the one s
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Set default search engine*
+- GP name: *SetDefaultSearchEngine*
+- GP element: *SetDefaultSearchEngine_Prompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -2205,6 +2515,14 @@ Added in Windows 10, version 1607. Specifies whether users should see a full in
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Show message when opening sites in Internet Explorer*
+- GP name: *ShowMessageWhenOpeningSitesInInternetExplorer*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -2261,6 +2579,14 @@ Added in Windows 10, version 1703. Specifies whether favorites are kept in sync
> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices.
+
+ADMX Info:
+- GP English name: *Keep favorites in sync between Internet Explorer and Microsoft Edge*
+- GP name: *SyncFavoritesBetweenIEAndMicrosoftEdge*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -2322,6 +2648,14 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+ADMX Info:
+- GP English name: *Allow a shared Books folder*
+- GP name: *UseSharedFolderForBooks*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -2331,68 +2665,13 @@ The following list shows the supported values:
-
-**Browser/UseSharedFolderForBooks**
-
-
-
-
-
Home
-
Pro
-
Business
-
Enterprise
-
Education
-
Mobile
-
Mobile Enterprise
-
-
-
-
4
-
4
-
4
-
4
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
-
-
-
-The following list shows the supported values:
-
-- 0 - No shared folder.
-- 1 - Use a shared folder.
-
-
-
-
-
-
-
-
-
-
-
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 635f9d4118..3cbf216e52 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Camera
@@ -68,6 +68,14 @@ Disables or enables the camera.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Use of Camera*
+- GP name: *L_AllowCamera*
+- GP path: *Windows Components/Camera*
+- GP ADMX file name: *Camera.admx*
+
+
The following list shows the supported values:
@@ -83,6 +91,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index 33931f6aa7..431c59baa4 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Cellular
@@ -23,13 +23,13 @@ ms.date: 01/30/2018
Cellular/LetAppsAccessCellularData
Cellular/ShowAppCellularAccessUI
@@ -90,6 +90,13 @@ If you disable or do not configure this policy setting, employees in your organi
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.”
+
+ADMX Info:
+- GP name: *LetAppsAccessCellularData*
+- GP element: *LetAppsAccessCellularData_Enum*
+- GP ADMX file name: *wwansvc.admx*
+
+
The following list shows the supported values:
@@ -103,7 +110,7 @@ The following list shows the supported values:
-**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps**
+**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps**
@@ -141,12 +148,19 @@ The following list shows the supported values:
Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
+
+ADMX Info:
+- GP name: *LetAppsAccessCellularData*
+- GP element: *LetAppsAccessCellularData_ForceAllowTheseApps_List*
+- GP ADMX file name: *wwansvc.admx*
+
+
-**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps**
+**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps**
@@ -184,12 +198,19 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
+
+ADMX Info:
+- GP name: *LetAppsAccessCellularData*
+- GP element: *LetAppsAccessCellularData_ForceDenyTheseApps_List*
+- GP ADMX file name: *wwansvc.admx*
+
+
-**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps**
+**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps**
@@ -227,6 +248,13 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
+
+ADMX Info:
+- GP name: *LetAppsAccessCellularData*
+- GP element: *LetAppsAccessCellularData_UserInControlOfTheseApps_List*
+- GP ADMX file name: *wwansvc.admx*
+
+
@@ -270,13 +298,7 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX.
If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page.
-
-If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default.”
-
-Supported values:
-
-- 0 - Hide
-- 1 - Show
+If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default.
> [!TIP]
@@ -286,14 +308,14 @@ Supported values:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set Per-App Cellular Access UI Visibility*
- GP name: *ShowAppCellularAccessUI*
- GP path: *Network/WWAN Service/WWAN UI Settings*
- GP ADMX file name: *wwansvc.admx*
-
+
@@ -302,6 +324,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index df9e662f31..faf33814cc 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Connectivity
@@ -216,6 +216,14 @@ Allows or disallows cellular data roaming on the device. Device reboot is not re
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Prohibit connection to roaming Mobile Broadband networks*
+- GP name: *WCM_DisableRoaming*
+- GP path: *Network/Windows Connection Manager*
+- GP ADMX file name: *WCM.admx*
+
+
The following list shows the supported values:
@@ -545,6 +553,17 @@ The following list shows the supported values:
+This policy setting specifies whether to allow printing over HTTP from this client.
+
+Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.
+
+Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
+
+If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP.
+
+If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP.
+
+Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.
> [!TIP]
@@ -554,14 +573,14 @@ The following list shows the supported values:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off printing over HTTP*
- GP name: *DisableHTTPPrinting_2*
- GP path: *Internet Communication settings*
- GP ADMX file name: *ICM.admx*
-
+
@@ -602,6 +621,15 @@ ADMX Info:
+This policy setting specifies whether to allow this client to download print driver packages over HTTP.
+
+To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.
+
+Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally.
+
+If you enable this policy setting, print drivers cannot be downloaded over HTTP.
+
+If you disable or do not configure this policy setting, users can download print drivers over HTTP.
> [!TIP]
@@ -611,14 +639,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off downloading of print drivers over HTTP*
- GP name: *DisableWebPnPDownload_2*
- GP path: *Internet Communication settings*
- GP ADMX file name: *ICM.admx*
-
+
@@ -659,6 +687,15 @@ ADMX Info:
+This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards.
+
+These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry.
+
+If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed.
+
+If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards.
+
+See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry.
> [!TIP]
@@ -668,14 +705,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Internet download for Web publishing and online ordering wizards*
- GP name: *ShellPreventWPWDownload_2*
- GP path: *Internet Communication settings*
- GP ADMX file name: *ICM.admx*
-
+
@@ -721,6 +758,14 @@ Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) de
Value type is integer.
+
+ADMX Info:
+- GP English name: *Turn off Windows Network Connectivity Status Indicator active tests*
+- GP name: *NoActiveProbe*
+- GP path: *Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
@@ -773,14 +818,14 @@ If you enable this policy, Windows only allows access to the specified UNC paths
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Hardened UNC Paths*
- GP name: *Pol_HardenedPaths*
- GP path: *Network/Network Provider*
- GP ADMX file name: *networkprovider.admx*
-
+
@@ -821,6 +866,13 @@ ADMX Info:
+Determines whether a user can install and configure the Network Bridge.
+
+Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.
+
+The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder.
+
+If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer.
> [!TIP]
@@ -830,14 +882,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
- GP name: *NC_AllowNetBridge_NLA*
- GP path: *Network/Network Connections*
- GP ADMX file name: *NetworkConnections.admx*
-
+
@@ -846,6 +898,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index d4124e950a..b606419501 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - ControlPolicyConflict
@@ -65,9 +65,9 @@ ms.date: 01/30/2018
-Added in Windows 10, next major update. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy are set on the device.
+Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy are set on the device.
-This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. The default value is 0. In next major update, the MDM policies in Policy CSP will behave as described if this policy value is set 1.
+This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that:
@@ -91,6 +91,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index 8994842055..f3f12c6f73 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - CredentialProviders
@@ -87,14 +87,14 @@ To configure Windows Hello for Business, use the Administrative Template policie
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on convenience PIN sign-in*
- GP name: *AllowDomainPINLogon*
- GP path: *System/Logon*
- GP ADMX file name: *credentialproviders.admx*
-
+
@@ -137,7 +137,7 @@ ADMX Info:
This policy setting allows you to control whether a domain user can sign in using a picture password.
-If you enable this policy setting, a domain user can't set up or sign in with a picture password.
+If you enable this policy setting, a domain user can't set up or sign in with a picture password.
If you disable or don't configure this policy setting, a domain user can set up and use a picture password.
@@ -151,14 +151,14 @@ Note that the user's domain password will be cached in the system vault when usi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off picture password sign-in*
- GP name: *BlockDomainPicturePassword*
- GP path: *System/Logon*
- GP ADMX file name: *credentialproviders.admx*
-
+
@@ -219,6 +219,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
new file mode 100644
index 0000000000..e347fbd029
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
@@ -0,0 +1,80 @@
+---
+title: Policy CSP - CredentialsDelegation
+description: Policy CSP - CredentialsDelegation
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 03/12/2018
+---
+
+# Policy CSP - CredentialsDelegation
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+
+## CredentialsDelegation policies
+
+
+
+
+
+
+
+**CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Remote host allows delegation of non-exportable credentials
+
+When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host.
+
+If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.
+
+If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remote host allows delegation of non-exportable credentials*
+- GP name: *AllowProtectedCreds*
+- GP path: *System/Credentials Delegation*
+- GP ADMX file name: *CredSsp.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index 869f016e13..900ad6176a 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - CredentialsUI
@@ -85,14 +85,14 @@ The policy applies to all Windows components and applications that use the Windo
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not display the password reveal button*
- GP name: *DisablePasswordReveal*
- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
-
+
@@ -147,14 +147,14 @@ If you disable this policy setting, users will always be required to type a user
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enumerate administrator accounts on elevation*
- GP name: *EnumerateAdministrators*
- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
-
+
@@ -163,6 +163,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 81023d5fdd..7dadd07af1 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Cryptography
@@ -69,6 +69,12 @@ ms.date: 01/30/2018
Allows or disallows the Federal Information Processing Standard (FIPS) policy.
+
+GP Info:
+- GP English name: *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
The following list shows the supported values:
@@ -127,6 +133,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 1563402e93..28ad8aaca3 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - DataProtection
@@ -136,6 +136,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 9d64360b36..89086b22bb 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - DataUsage
@@ -70,9 +70,9 @@ This policy setting configures the cost of 3G connections on the local machine.
If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:
-- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
+- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
-- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
+- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
- Variable: This connection is costed on a per byte basis.
@@ -86,14 +86,14 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set 3G Cost*
- GP name: *SetCost3G*
- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
-
+
@@ -134,13 +134,13 @@ ADMX Info:
-This policy setting configures the cost of 4G connections on the local machine.
+This policy setting configures the cost of 4G connections on the local machine.
If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:
-- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
+- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
-- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
+- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
- Variable: This connection is costed on a per byte basis.
@@ -154,14 +154,14 @@ If this policy setting is disabled or is not configured, the cost of 4G connecti
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set 4G Cost*
- GP name: *SetCost4G*
- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
-
+
@@ -170,6 +170,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 6dcfb31902..76c96ac41d 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Defender
@@ -172,6 +172,14 @@ ms.date: 01/30/2018
Allows or disallows scanning of archives.
+
+ADMX Info:
+- GP English name: *Scan archive files*
+- GP name: *Scan_DisableArchiveScanning*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -226,6 +234,14 @@ The following list shows the supported values:
Allows or disallows Windows Defender Behavior Monitoring functionality.
+
+ADMX Info:
+- GP English name: *Turn on behavior monitoring*
+- GP name: *RealtimeProtection_DisableBehaviorMonitoring*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -280,6 +296,15 @@ The following list shows the supported values:
To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.
+
+ADMX Info:
+- GP English name: *Join Microsoft MAPS*
+- GP name: *SpynetReporting*
+- GP element: *SpynetReporting*
+- GP path: *Windows Components/Windows Defender Antivirus/MAPS*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -334,6 +359,14 @@ The following list shows the supported values:
Allows or disallows scanning of email.
+
+ADMX Info:
+- GP English name: *Turn on e-mail scanning*
+- GP name: *Scan_DisableEmailScanning*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -388,6 +421,14 @@ The following list shows the supported values:
Allows or disallows a full scan of mapped network drives.
+
+ADMX Info:
+- GP English name: *Run full scan on mapped network drives*
+- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -442,6 +483,14 @@ The following list shows the supported values:
Allows or disallows a full scan of removable drives.
+
+ADMX Info:
+- GP English name: *Scan removable drives*
+- GP name: *Scan_DisableRemovableDriveScanning*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -496,6 +545,14 @@ The following list shows the supported values:
Allows or disallows Windows Defender IOAVP Protection functionality.
+
+ADMX Info:
+- GP English name: *Scan all downloaded files and attachments*
+- GP name: *RealtimeProtection_DisableIOAVProtection*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -604,6 +661,14 @@ The following list shows the supported values:
Allows or disallows Windows Defender On Access Protection functionality.
+
+ADMX Info:
+- GP English name: *Monitor file and program activity on your computer*
+- GP name: *RealtimeProtection_DisableOnAccessProtection*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -658,6 +723,14 @@ The following list shows the supported values:
Allows or disallows Windows Defender Realtime Monitoring functionality.
+
+ADMX Info:
+- GP English name: *Turn off real-time protection*
+- GP name: *DisableRealtimeMonitoring*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -712,6 +785,14 @@ The following list shows the supported values:
Allows or disallows a scanning of network files.
+
+ADMX Info:
+- GP English name: *Scan network files*
+- GP name: *Scan_DisableScanningNetworkFiles*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -820,6 +901,14 @@ The following list shows the supported values:
Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
+
+ADMX Info:
+- GP English name: *Enable headless UI mode*
+- GP name: *UX_Configuration_UILockdown*
+- GP path: *Windows Components/Windows Defender Antivirus/Client Interface*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -876,6 +965,15 @@ Added in Windows 10, version 1709. This policy setting allows you to prevent Att
Value type is string.
+
+ADMX Info:
+- GP English name: *Exclude files and paths from Attack Surface Reduction Rules*
+- GP name: *ExploitGuard_ASR_ASROnlyExclusions*
+- GP element: *ExploitGuard_ASR_ASROnlyExclusions*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -927,6 +1025,15 @@ For more information about ASR rule ID and status ID, see [Enable Attack Surface
Value type is string.
+
+ADMX Info:
+- GP English name: *Configure Attack Surface Reduction rules*
+- GP name: *ExploitGuard_ASR_Rules*
+- GP element: *ExploitGuard_ASR_Rules*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -977,6 +1084,15 @@ Represents the average CPU load factor for the Windows Defender scan (in percent
The default value is 50.
+
+ADMX Info:
+- GP English name: *Specify the maximum percentage of CPU utilization during a scan*
+- GP name: *Scan_AvgCPULoadFactor*
+- GP element: *Scan_AvgCPULoadFactor*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
Valid values: 0–100
@@ -1035,6 +1151,15 @@ For more information about specific values that are supported, see the Windows D
> This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
+
+ADMX Info:
+- GP English name: *Select cloud protection level*
+- GP name: *MpEngine_MpCloudBlockLevel*
+- GP element: *MpCloudBlockLevel*
+- GP path: *Windows Components/Windows Defender Antivirus/MpEngine*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -1097,6 +1222,15 @@ For example, if the desired timeout is 60 seconds, specify 50 seconds in this se
> This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".
+
+ADMX Info:
+- GP English name: *Configure extended cloud check*
+- GP name: *MpEngine_MpBafsExtendedTimeout*
+- GP element: *MpBafsExtendedTimeout*
+- GP path: *Windows Components/Windows Defender Antivirus/MpEngine*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -1143,6 +1277,15 @@ For example, if the desired timeout is 60 seconds, specify 50 seconds in this se
Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
+
+ADMX Info:
+- GP English name: *Configure allowed applications*
+- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
+- GP element: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -1189,6 +1332,15 @@ Added in Windows 10, version 1709. This policy setting allows user-specified app
Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
+
+ADMX Info:
+- GP English name: *Configure protected folders*
+- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
+- GP element: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -1239,6 +1391,15 @@ Time period (in days) that quarantine items will be stored on the system.
The default value is 0, which keeps items in quarantine, and does not automatically remove them.
+
+ADMX Info:
+- GP English name: *Configure removal of items from Quarantine folder*
+- GP name: *Quarantine_PurgeItemsAfterDelay*
+- GP element: *Quarantine_PurgeItemsAfterDelay*
+- GP path: *Windows Components/Windows Defender Antivirus/Quarantine*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
Valid values: 0–90
@@ -1289,6 +1450,15 @@ Valid values: 0–90
Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
+
+ADMX Info:
+- GP English name: *Configure Controlled folder access*
+- GP name: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess*
+- GP element: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -1349,6 +1519,15 @@ If you disable this policy, users/apps will not be blocked from connecting to da
If you do not configure this policy, network blocking will be disabled by default.
+
+ADMX Info:
+- GP English name: *Prevent users and apps from accessing dangerous websites*
+- GP name: *ExploitGuard_EnableNetworkProtection*
+- GP element: *ExploitGuard_EnableNetworkProtection*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Network Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -1404,6 +1583,15 @@ The following list shows the supported values:
Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj".
+
+ADMX Info:
+- GP English name: *Path Exclusions*
+- GP name: *Exclusions_Paths*
+- GP element: *Exclusions_PathsList*
+- GP path: *Windows Components/Windows Defender Antivirus/Exclusions*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -1451,6 +1639,15 @@ Allows an administrator to specify a list of file type extensions to ignore duri
Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1".
+
+ADMX Info:
+- GP English name: *Extension Exclusions*
+- GP name: *Exclusions_Extensions*
+- GP element: *Exclusions_ExtensionsList*
+- GP path: *Windows Components/Windows Defender Antivirus/Exclusions*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -1504,6 +1701,15 @@ Allows an administrator to specify a list of files opened by processes to ignore
Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
+
+ADMX Info:
+- GP English name: *Process Exclusions*
+- GP name: *Exclusions_Processes*
+- GP element: *Exclusions_ProcessesList*
+- GP path: *Windows Components/Windows Defender Antivirus/Exclusions*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -1609,6 +1815,15 @@ Controls which sets of files should be monitored.
> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files.
+
+ADMX Info:
+- GP English name: *Configure monitoring for incoming and outgoing file and program activity*
+- GP name: *RealtimeProtection_RealtimeScanDirection*
+- GP element: *RealtimeProtection_RealtimeScanDirection*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -1664,6 +1879,15 @@ The following list shows the supported values:
Selects whether to perform a quick scan or full scan.
+
+ADMX Info:
+- GP English name: *Specify the scan type to use for a scheduled scan*
+- GP name: *Scan_ScanParameters*
+- GP element: *Scan_ScanParameters*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -1727,6 +1951,15 @@ For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, an
The default value is 120
+
+ADMX Info:
+- GP English name: *Specify the time for a daily quick scan*
+- GP name: *Scan_ScheduleQuickScantime*
+- GP element: *Scan_ScheduleQuickScantime*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
Valid values: 0–1380
@@ -1781,6 +2014,15 @@ Selects the day that the Windows Defender scan should run.
> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
+
+ADMX Info:
+- GP English name: *Specify the day of the week to run a scheduled scan*
+- GP name: *Scan_ScheduleDay*
+- GP element: *Scan_ScheduleDay*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -1851,6 +2093,15 @@ For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, an
The default value is 120.
+
+ADMX Info:
+- GP English name: *Specify the time of day to run a scheduled scan*
+- GP name: *Scan_ScheduleTime*
+- GP element: *Scan_ScheduleTime*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
Valid values: 0–1380.
@@ -1907,6 +2158,15 @@ A value of 0 means no check for new signatures, a value of 1 means to check ever
The default value is 8.
+
+ADMX Info:
+- GP English name: *Specify the interval to check for definition updates*
+- GP name: *SignatureUpdate_SignatureUpdateInterval*
+- GP element: *SignatureUpdate_SignatureUpdateInterval*
+- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
Valid values: 0–24.
@@ -1958,6 +2218,15 @@ Valid values: 0–24.
Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data.
+
+ADMX Info:
+- GP English name: *Send file samples when further analysis is required*
+- GP name: *SubmitSamplesConsent*
+- GP element: *SubmitSamplesConsent*
+- GP path: *Windows Components/Windows Defender Antivirus/MAPS*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -2032,6 +2301,15 @@ The following list shows the supported values for possible actions:
- 10 – Block
+
+ADMX Info:
+- GP English name: *Specify threat alert levels at which default action should not be taken when detected*
+- GP name: *Threats_ThreatSeverityDefaultAction*
+- GP element: *Threats_ThreatSeverityDefaultActionList*
+- GP path: *Windows Components/Windows Defender Antivirus/Threats*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -2040,6 +2318,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index d05d2cedb0..cf43d37c41 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - DeliveryOptimization
@@ -76,13 +76,13 @@ ms.date: 01/30/2018
DeliveryOptimization/DOMonthlyUploadDataCap
DeliveryOptimization/DORestrictPeerSelectionBy
@@ -143,6 +143,15 @@ Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery
The default value is 10.
+
+ADMX Info:
+- GP English name: *Absolute Max Cache Size (in GB)*
+- GP name: *AbsoluteMaxCacheSize*
+- GP element: *AbsoluteMaxCacheSize*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -190,6 +199,15 @@ The default value is 10.
Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+
+ADMX Info:
+- GP English name: *Enable Peer Caching while the device connects via VPN*
+- GP name: *AllowVPNPeerCaching*
+- GP element: *AllowVPNPeerCaching*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values:
@@ -237,11 +255,20 @@ The following list shows the supported values:
-Added in Windows 10, next major update. This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
+Added in Windows 10, version 1803. This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from peers. Note that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 hour (3600).
+
+ADMX Info:
+- GP English name: *Delay background download from http (in secs)*
+- GP name: *DelayBackgroundDownloadFromHttp*
+- GP element: *DelayBackgroundDownloadFromHttp*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -282,7 +309,7 @@ After the max delay is reached, the download will resume using HTTP, either down
-Added in Windows 10, next major update. This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer.
+Added in Windows 10, version 1803. This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer.
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers.
@@ -291,6 +318,15 @@ Note that a download that is waiting for peer sources, will appear to be stuck f
The recommended value is 1 minute (60).
+
+ADMX Info:
+- GP English name: *Delay Foreground download from http (in secs)*
+- GP name: *DelayForegroundDownloadFromHttp*
+- GP element: *DelayForegroundDownloadFromHttp*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values as number of seconds:
@@ -346,6 +382,15 @@ The following list shows the supported values as number of seconds:
Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
+
+ADMX Info:
+- GP English name: *Download Mode*
+- GP name: *DownloadMode*
+- GP element: *DownloadMode*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values:
@@ -407,6 +452,15 @@ This Policy specifies an arbitrary group ID that the device belongs to. Use this
> You must use a GUID as the group ID.
+
+ADMX Info:
+- GP English name: *Group ID*
+- GP name: *GroupId*
+- GP element: *GroupId*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -447,7 +501,7 @@ This Policy specifies an arbitrary group ID that the device belongs to. Use this
-Added in Windows 10, next major update. Set this policy to restrict peer selection to a specific source. Options available are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix
+Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Options available are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix
When set, the Group ID will be assigned automatically from the selected source.
@@ -458,6 +512,15 @@ The options set in this policy only apply to Group (2) download mode. If Group (
For option 4 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
+
+ADMX Info:
+- GP English name: *Select the source of Group IDs*
+- GP name: *GroupIdSource*
+- GP element: *GroupIdSource*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values:
@@ -516,6 +579,15 @@ Specifies the maximum time in seconds that each file is held in the Delivery Opt
The default value is 259200 seconds (3 days).
+
+ADMX Info:
+- GP English name: *Max Cache Age (in seconds)*
+- GP name: *MaxCacheAge*
+- GP element: *MaxCacheAge*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -565,6 +637,15 @@ Specifies the maximum cache size that Delivery Optimization can utilize, as a pe
The default value is 20.
+
+ADMX Info:
+- GP English name: *Max Cache Size (percentage)*
+- GP name: *MaxCacheSize*
+- GP element: *MaxCacheSize*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -614,6 +695,15 @@ Added in Windows 10, version 1607. Specifies the maximum download bandwidth in
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
+ADMX Info:
+- GP English name: *Maximum Download Bandwidth (in KB/s)*
+- GP name: *MaxDownloadBandwidth*
+- GP element: *MaxDownloadBandwidth*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -663,6 +753,15 @@ Specifies the maximum upload bandwidth in KiloBytes/second that a device will us
The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).
+
+ADMX Info:
+- GP English name: *Max Upload Bandwidth (in KB/s)*
+- GP name: *MaxUploadBandwidth*
+- GP element: *MaxUploadBandwidth*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -712,6 +811,15 @@ Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality
The default value is 500.
+
+ADMX Info:
+- GP English name: *Minimum Background QoS (in KB/s)*
+- GP name: *MinBackgroundQos*
+- GP element: *MinBackgroundQos*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -760,6 +868,15 @@ Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in pe
The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
+
+ADMX Info:
+- GP English name: *Allow uploads while the device is on battery while under set Battery level (percentage)*
+- GP name: *MinBatteryPercentageAllowedToUpload*
+- GP element: *MinBatteryPercentageAllowedToUpload*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -812,6 +929,15 @@ Added in Windows 10, version 1703. Specifies the required minimum disk size (cap
The default value is 32 GB.
+
+ADMX Info:
+- GP English name: *Minimum disk size allowed to use Peer Caching (in GB)*
+- GP name: *MinDiskSizeAllowedToPeer*
+- GP element: *MinDiskSizeAllowedToPeer*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -861,6 +987,15 @@ Added in Windows 10, version 1703. Specifies the minimum content file size in MB
The default value is 100 MB.
+
+ADMX Info:
+- GP English name: *Minimum Peer Caching Content File Size (in MB)*
+- GP name: *MinFileSizeToCache*
+- GP element: *MinFileSizeToCache*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -910,6 +1045,15 @@ Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required
The default value is 4 GB.
+
+ADMX Info:
+- GP English name: *Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)*
+- GP name: *MinRAMAllowedToPeer*
+- GP element: *MinRAMAllowedToPeer*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -959,6 +1103,15 @@ Added in Windows 10, version 1607. Specifies the drive that Delivery Optimizati
By default, %SystemDrive% is used to store the cache.
+
+ADMX Info:
+- GP English name: *Modify Cache Drive*
+- GP name: *ModifyCacheDrive*
+- GP element: *ModifyCacheDrive*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -1010,12 +1163,21 @@ The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is
The default value is 20.
+
+ADMX Info:
+- GP English name: *Monthly Upload Data Cap (in GB)*
+- GP name: *MonthlyUploadDataCap*
+- GP element: *MonthlyUploadDataCap*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
-**DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth**
+**DeliveryOptimization/DOPercentageMaxBackgroundBandwidth**
@@ -1050,11 +1212,18 @@ The default value is 20.
-Added in Windows 10, next major update. Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
+Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
Note that downloads from LAN peers will not be throttled even when this policy is set.
+
+ADMX Info:
+- GP name: *PercentageMaxBackgroundBandwidth*
+- GP element: *PercentageMaxBackgroundBandwidth*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -1063,7 +1232,7 @@ Note that downloads from LAN peers will not be throttled even when this policy i
**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**
-This policy is deprecated. Use [DOPercentageMaxForeDownloadBandwidth](#deliveryoptimization-dopercentagemaxforedownloadbandwidth) and [DOPercentageMaxBackDownloadBandwidth](#deliveryoptimization-dopercentagemaxbackdownloadbandwidth) policies instead.
+This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryoptimization-dopercentagemaxforegroundbandwidth) and [DOPercentageMaxBackgroundBandwidth](#deliveryoptimization-dopercentagemaxbackgroundbandwidth) policies instead.
@@ -1071,7 +1240,7 @@ This policy is deprecated. Use [DOPercentageMaxForeDownloadBandwidth](#deliveryo
-**DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth**
+**DeliveryOptimization/DOPercentageMaxForegroundBandwidth**
@@ -1106,11 +1275,18 @@ This policy is deprecated. Use [DOPercentageMaxForeDownloadBandwidth](#deliveryo
-Added in Windows 10, next major update. Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
+Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
Note that downloads from LAN peers will not be throttled even when this policy is set.
+
+ADMX Info:
+- GP name: *PercentageMaxForegroundBandwidth*
+- GP element: *PercentageMaxForegroundBandwidth*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -1151,12 +1327,21 @@ Note that downloads from LAN peers will not be throttled even when this policy i
-Added in Windows 10, next major update. Set this policy to restrict peer selection via selected option.
+Added in Windows 10, version 1803. Set this policy to restrict peer selection via selected option.
Options available are: 1=Subnet mask (more options will be added in a future release).
Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2).
+
+ADMX Info:
+- GP English name: *Select a method to restrict Peer Selection*
+- GP name: *RestrictPeerSelectionBy*
+- GP element: *RestrictPeerSelectionBy*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values:
@@ -1203,17 +1388,30 @@ The following list shows the supported values:
-Added in Windows 10, next major update. Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-
-Note that downloads from LAN peers will not be throttled even when this policy is set.
+Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set Business Hours to Limit Background Download Bandwidth*
+- GP name: *SetHoursToLimitBackgroundDownloadBandwidth*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
This policy allows an IT Admin to define the following:
- Business hours range (for example 06:00 to 18:00)
-- % of throttle for foreground traffic during business hours
-- % of throttle for foreground traffic outside of business hours
+- % of throttle for background traffic during business hours
+- % of throttle for background traffic outside of business hours
@@ -1256,11 +1454,24 @@ This policy allows an IT Admin to define the following:
-Added in Windows 10, next major update. Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-
-Note that downloads from LAN peers will not be throttled even when this policy is set.
+Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set Business Hours to Limit Foreground Download Bandwidth*
+- GP name: *SetHoursToLimitForegroundDownloadBandwidth*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
This policy allows an IT Admin to define the following:
@@ -1277,6 +1488,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 56fcae51f5..36afbf2a08 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Desktop
@@ -77,14 +77,14 @@ If you enable this setting, users are unable to type a new location in the Targe
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prohibit User from manually redirecting Profile Folders*
- GP name: *DisablePersonalDirChange*
- GP path: *Desktop*
- GP ADMX file name: *desktop.admx*
-
+
@@ -93,6 +93,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index bde8f4dc65..b541578089 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - DeviceGuard
@@ -72,6 +72,14 @@ ms.date: 01/30/2018
Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
+
+ADMX Info:
+- GP English name: *Turn On Virtualization Based Security*
+- GP name: *VirtualizationBasedSecurity*
+- GP path: *System/Device Guard*
+- GP ADMX file name: *DeviceGuard.admx*
+
+
The following list shows the supported values:
@@ -122,6 +130,15 @@ The following list shows the supported values:
Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.
+
+ADMX Info:
+- GP English name: *Turn On Virtualization Based Security*
+- GP name: *VirtualizationBasedSecurity*
+- GP element: *CredentialIsolationDrop*
+- GP path: *System/Device Guard*
+- GP ADMX file name: *DeviceGuard.admx*
+
+
The following list shows the supported values:
@@ -173,6 +190,15 @@ The following list shows the supported values:
Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer.
+
+ADMX Info:
+- GP English name: *Turn On Virtualization Based Security*
+- GP name: *VirtualizationBasedSecurity*
+- GP element: *RequirePlatformSecurityFeaturesDrop*
+- GP path: *System/Device Guard*
+- GP ADMX file name: *DeviceGuard.admx*
+
+
The following list shows the supported values:
@@ -188,6 +214,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 5813ea9ecb..38941fd46b 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - DeviceInstallation
@@ -80,14 +80,14 @@ If you disable or do not configure this policy setting, devices can be installed
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent installation of devices that match any of these device IDs*
- GP name: *DeviceInstall_IDs_Deny*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
-
+
@@ -142,14 +142,14 @@ If you disable or do not configure this policy setting, Windows can install and
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent installation of devices using drivers that match these device setup classes*
- GP name: *DeviceInstall_Classes_Deny*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
-
+
@@ -158,6 +158,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 2555067447..1a791a7b71 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - DeviceLock
@@ -66,6 +66,9 @@ ms.date: 01/30/2018
@@ -1020,6 +1023,51 @@ The minimum password age must be less than the Maximum password age, unless the
Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.
+
+GP Info:
+- GP English name: *Minimum password age*
+- GP path: *Windows Settings/Security Settings/Account Policies/Password Policy*
+
+
+
+
+
+
+
+**DeviceLock/PreventEnablingLockScreenCamera**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.
+
+By default, users can enable invocation of an available camera on the lock screen.
+
+If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent enabling lock screen camera*
+- GP name: *CPL_Personalization_NoLockScreenCamera*
+- GP path: *Control Panel/Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
@@ -1074,14 +1122,14 @@ If you enable this setting, users will no longer be able to modify slide show se
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent enabling lock screen slide show*
- GP name: *CPL_Personalization_NoLockScreenSlideshow*
- GP path: *Control Panel/Personalization*
- GP ADMX file name: *ControlPanelDisplay.admx*
-
+
@@ -1144,6 +1192,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index fbfc7878d5..0cf8a9740d 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Display
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -19,6 +21,15 @@ ms.date: 01/30/2018
## Display policies
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+ADMX Info:
+- GP English name: *Configure Per-Process System DPI settings*
+- GP name: *DisplayPerProcessSystemDpiSettings*
+- GP element: *DisplayDisablePerProcessSystemDpiSettings*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
+
+
+
+
+
+
+
+**Display/EnablePerProcessDpi**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
4
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Per Process System DPI is an application compatibility feature for desktop applications that do not render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that have not been updated to display properly in this scenario will be blurry until you log out and back in to Windows.
+
+When you enable this policy some blurry applications will be crisp after they are restarted, without requiring the user to log out and back in to Windows.
+
+Be aware of the following:
+
+Per Process System DPI will only improve the rendering of desktop applications that are positioned on the primary display (or any other display that has the same scale factor as that of the primary display). Some desktop applications can still be blurry on secondary displays that have different display scale factors.
+
+Per Process System DPI will not work for all applications as some older desktop applications will always be blurry on high DPI displays.
+
+In some cases, you may see some unexpected behavior in some desktop applications that have Per-Process System DPI applied. If that happens, Per Process System DPI should be disabled.
+
+Enabling this setting lets you specify the system-wide default for desktop applications as well as per-application overrides. If you disable or do not configure this setting, Per Process System DPI will not apply to any processes on the system.
+
+
+
+ADMX Info:
+- GP English name: *Configure Per-Process System DPI settings*
+- GP name: *DisplayPerProcessSystemDpiSettings*
+- GP element: *DisplayGlobalPerProcessSystemDpiSettings*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 - Disable.
+- 1 - Enable.
+
+
+
+
+
+
+
+**Display/EnablePerProcessDpiForApps**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
4
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+ADMX Info:
+- GP English name: *Configure Per-Process System DPI settings*
+- GP name: *DisplayPerProcessSystemDpiSettings*
+- GP element: *DisplayEnablePerProcessSystemDpiSettings*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
+
+
+
+
@@ -77,6 +264,15 @@ If you disable or do not configure this policy setting, GDI DPI Scaling might st
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+
+ADMX Info:
+- GP English name: *Turn off GdiDPIScaling for applications*
+- GP name: *DisplayTurnOffGdiDPIScaling*
+- GP element: *DisplayTurnOffGdiDPIScalingPrompt*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
+
+
To validate on Desktop, do the following:
@@ -135,6 +331,15 @@ If you disable or do not configure this policy setting, GDI DPI Scaling will not
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+
+ADMX Info:
+- GP English name: *Turn on GdiDPIScaling for applications*
+- GP name: *DisplayTurnOnGdiDPIScaling*
+- GP element: *DisplayTurnOnGdiDPIScalingPrompt*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
+
+
To validate on Desktop, do the following:
@@ -150,6 +355,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index 3583549ed4..e1fb1b9965 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Education
@@ -117,6 +117,14 @@ The policy value is expected to be the name (network host name) of an installed
Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings.
+
+ADMX Info:
+- GP English name: *Prevent addition of printers*
+- GP name: *NoAddPrinter*
+- GP path: *Control Panel/Printers*
+- GP ADMX file name: *Printing.admx*
+
+
The following list shows the supported values:
@@ -177,6 +185,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index 63d4b5f3b2..4b5b961ad9 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - EnterpriseCloudPrint
@@ -328,6 +328,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index e33bbb0431..d2a31d1077 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - ErrorReporting
@@ -99,14 +99,14 @@ If you disable or do not configure this policy setting, then the default consent
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Customize consent settings*
- GP name: *WerConsentCustomize_2*
- GP path: *Windows Components/Windows Error Reporting/Consent*
- GP ADMX file name: *ErrorReporting.admx*
-
+
@@ -161,14 +161,14 @@ If you disable or do not configure this policy setting, the Turn off Windows Err
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable Windows Error Reporting*
- GP name: *WerDisable_2*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
+
@@ -227,14 +227,14 @@ See also the Configure Error Reporting policy setting.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Display Error Notification*
- GP name: *PCH_ShowUI*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
+
@@ -289,14 +289,14 @@ If you disable or do not configure this policy setting, then consent policy sett
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not send additional data*
- GP name: *WerNoSecondLevelData_2*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
+
@@ -351,14 +351,14 @@ If you disable or do not configure this policy setting, Windows Error Reporting
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent display of the user interface for critical errors*
- GP name: *WerDoNotShowUI*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
+
@@ -367,6 +367,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index 10a8c1e6f4..835be83eb0 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - EventLogService
@@ -78,7 +78,7 @@ If you enable this policy setting and a log file reaches its maximum size, new e
If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
-Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
+Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
> [!TIP]
@@ -88,14 +88,14 @@ Note: Old events may or may not be retained according to the "Backup log automat
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Control Event Log behavior when the log file reaches its maximum size*
- GP name: *Channel_Log_Retention_1*
- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
-
+
@@ -150,14 +150,14 @@ If you disable or do not configure this policy setting, the maximum size of the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_1*
- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
-
+
@@ -212,14 +212,14 @@ If you disable or do not configure this policy setting, the maximum size of the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_2*
- GP path: *Windows Components/Event Log Service/Security*
- GP ADMX file name: *eventlog.admx*
-
+
@@ -274,14 +274,14 @@ If you disable or do not configure this policy setting, the maximum size of the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_4*
- GP path: *Windows Components/Event Log Service/System*
- GP ADMX file name: *eventlog.admx*
-
+
@@ -290,6 +290,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index 162e0d9065..3f96460055 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Experience
@@ -72,6 +72,9 @@ ms.date: 01/30/2018
@@ -185,6 +188,14 @@ Specifies whether Cortana is allowed on the device. If you enable or don’t con
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Cortana*
+- GP name: *AllowCortana*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -293,6 +304,14 @@ When Find My Device is on, the device and its location are registered in the clo
When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. In Windows 10, version 1709 the user will not be able to view the location of the last use of their active digitizer on their device.
+
+ADMX Info:
+- GP English name: *Turn On/Off Find My Device*
+- GP name: *FindMy_AllowFindMyDeviceConfig*
+- GP path: *Windows Components/Find My Device*
+- GP ADMX file name: *FindMy.admx*
+
+
The following list shows the supported values:
@@ -561,7 +580,7 @@ The following list shows the supported values:
2
2
2
-
2
+
@@ -590,6 +609,14 @@ Diagnostic data can include browser, app and feature usage, depending on the "Di
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Do not use diagnostic data for tailored experiences*
+- GP name: *DisableTailoredExperiencesWithDiagnosticData*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -672,11 +699,11 @@ The following list shows the supported values:
1
-
1
1
+
@@ -698,6 +725,14 @@ The following list shows the supported values:
Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
+
+ADMX Info:
+- GP English name: *Do not suggest third-party content in Windows spotlight*
+- GP name: *DisableThirdPartySuggestions*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -781,12 +816,12 @@ The following list shows the supported values:
-
-
+
+
@@ -795,7 +830,7 @@ The following list shows the supported values:
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
-> * User
+> * Device
@@ -810,6 +845,14 @@ This policy allows IT admins to turn on experiences that are typically for consu
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Turn off Microsoft consumer experiences*
+- GP name: *DisableWindowsConsumerFeatures*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -838,11 +881,11 @@ The following list shows the supported values:
-
1
1
+
@@ -866,6 +909,14 @@ Specifies whether to turn off all Windows spotlight features at once. If you ena
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Turn off all Windows spotlight features*
+- GP name: *DisableWindowsSpotlightFeatures*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -896,7 +947,7 @@ The following list shows the supported values:
2
2
-
2
+
@@ -921,6 +972,14 @@ Added in Windows 10, version 1703. This policy allows administrators to prevent
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Turn off Windows Spotlight on Action Center*
+- GP name: *DisableWindowsSpotlightOnActionCenter*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -932,6 +991,68 @@ The following list shows the supported values:
+
+**Experience/AllowWindowsSpotlightOnSettings**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
4
+
4
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Added in Windows 10, version 1083. This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make thier experience productive.
+
+- User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app.
+- User Setting is changeable on a per user basis.
+- If the Group policy is set to off, no suggestions will be shown to the user in Settings app.
+
+
+
+ADMX Info:
+- GP English name: *Turn off Windows Spotlight on Settings*
+- GP name: *DisableWindowsSpotlightOnSettings*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 - Not allowed.
+- 1 - Allowed.
+
+
+
+
+
+
**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
@@ -951,7 +1072,7 @@ The following list shows the supported values:
2
2
-
2
+
@@ -977,6 +1098,14 @@ The Windows welcome experience feature introduces onboard users to Windows; for
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Turn off the Windows Welcome Experience*
+- GP name: *DisableWindowsSpotlightWindowsWelcomeExperience*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -1004,12 +1133,12 @@ The following list shows the supported values:
-
-
+
+
@@ -1027,6 +1156,14 @@ The following list shows the supported values:
Enables or disables Windows Tips / soft landing.
+
+ADMX Info:
+- GP English name: *Do not show Windows tips*
+- GP name: *DisableSoftLanding*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -1055,11 +1192,11 @@ The following list shows the supported values:
-
1
1
+
@@ -1081,6 +1218,14 @@ The following list shows the supported values:
Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
+
+ADMX Info:
+- GP English name: *Configure Windows spotlight on lock screen*
+- GP name: *ConfigureWindowsSpotlight*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -1136,6 +1281,14 @@ If you enable this policy setting, users will no longer see feedback notificatio
If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
+
+ADMX Info:
+- GP English name: *Do not show feedback notifications*
+- GP name: *DoNotShowFeedbackNotifications*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *FeedbackNotifications.admx*
+
+
The following list shows the supported values:
@@ -1151,6 +1304,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index f52eb4c227..bdf443d549 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - ExploitGuard
@@ -68,6 +68,15 @@ Enables the IT admin to push out a configuration representing the desired system
The system settings require a reboot; the application settings do not require a reboot.
+
+ADMX Info:
+- GP English name: *Use a common set of exploit protection settings*
+- GP name: *ExploitProtection_Name*
+- GP element: *ExploitProtection_Name*
+- GP path: *Windows Components/Windows Defender Exploit Guard/Exploit Protection*
+- GP ADMX file name: *ExploitGuard.admx*
+
+
Here is an example:
@@ -103,6 +112,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
new file mode 100644
index 0000000000..9216df0e67
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -0,0 +1,112 @@
+---
+title: Policy CSP - FileExplorer
+description: Policy CSP - FileExplorer
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 03/12/2018
+---
+
+# Policy CSP - FileExplorer
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+
+## FileExplorer policies
+
+
+
+
+
+
+
+**FileExplorer/TurnOffDataExecutionPreventionForExplorer**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Data Execution Prevention for Explorer*
+- GP name: *NoDataExecutionPrevention*
+- GP path: *File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+
+
+**FileExplorer/TurnOffHeapTerminationOnCorruption**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off heap termination on corruption*
+- GP name: *NoHeapTerminationOnCorruption*
+- GP path: *File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 2a651204e1..d14fd92fed 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Games
@@ -81,6 +81,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index c03012e8f2..bdbcb764ae 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Handwriting
@@ -72,6 +72,14 @@ In floating mode, the content is hidden behind a flying-in panel and results in
The docked mode is especially useful in Kiosk mode where you do not expect the end-user to drag the flying-in panel out of the way.
+
+ADMX Info:
+- GP English name: *Handwriting Panel Default Mode Docked*
+- GP name: *PanelDefaultModeDocked*
+- GP path: *Windows Components/Handwriting*
+- GP ADMX file name: *Handwriting.admx*
+
+
The following list shows the supported values:
@@ -87,6 +95,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 4e2042350f..304792e860 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - InternetExplorer
@@ -238,6 +238,9 @@ ms.date: 01/30/2018
@@ -804,14 +813,14 @@ If you disable or do not configure this policy setting, the user can configure t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Add a specific list of search providers to the user's list of search providers*
- GP name: *AddSearchProvider*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -867,14 +876,14 @@ If you disable or do not configure this policy setting, ActiveX Filtering is not
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on ActiveX Filtering*
- GP name: *TurnOnActiveXFiltering*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -922,7 +931,7 @@ This list can be used with the 'Deny all add-ons unless specifically allowed in
If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:
-Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
+Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.
@@ -936,14 +945,14 @@ If you disable this policy setting, the list is deleted. The 'Deny all add-ons u
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Add-on List*
- GP name: *AddonManagement_AddOnList*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
+
@@ -984,6 +993,13 @@ ADMX Info:
+This AutoComplete feature can remember and suggest User names and passwords on Forms.
+
+If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords".
+
+If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords.
+
+If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button.
> [!TIP]
@@ -993,14 +1009,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on the auto-complete feature for user names and passwords on forms*
- GP name: *RestrictFormSuggestPW*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1042,6 +1058,11 @@ ADMX Info:
+This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks.
+
+If you enable this policy setting, the certificate address mismatch warning always appears.
+
+If you disable or do not configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel).
> [!TIP]
@@ -1051,14 +1072,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on certificate address mismatch warning*
- GP name: *IZ_PolicyWarnCertMismatch*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1100,6 +1121,15 @@ ADMX Info:
+This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files, cookies, history, form data, and passwords) are applied, and those items are deleted.
+
+If you enable this policy setting, deleting browsing history on exit is turned on.
+
+If you disable this policy setting, deleting browsing history on exit is turned off.
+
+If you do not configure this policy setting, it can be configured on the General tab in Internet Options.
+
+If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect.
> [!TIP]
@@ -1109,14 +1139,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow deleting browsing history on exit*
- GP name: *DBHDisableDeleteOnExit*
- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1174,14 +1204,14 @@ If you do not configure this policy, users will be able to turn on or turn off E
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Enhanced Protected Mode*
- GP name: *Advanced_EnableEnhancedProtectedMode*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1237,14 +1267,14 @@ If you disable or don't configure this policy setting, the menu option won't app
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Let users turn on and use Enterprise Mode from the Tools menu*
- GP name: *EnterpriseModeEnable*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1300,14 +1330,14 @@ If you disable or don't configure this policy setting, Internet Explorer opens a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use the Enterprise Mode IE website list*
- GP name: *EnterpriseModeSiteList*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1348,6 +1378,13 @@ ADMX Info:
+This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.
+
+We recommend that you do not allow insecure fallback in order to prevent a man-in-the-middle attack.
+
+This policy does not affect which security protocols are enabled.
+
+If you disable this policy, system defaults will be used.
> [!TIP]
@@ -1357,14 +1394,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow fallback to SSL 3.0 (Internet Explorer)*
- GP name: *Advanced_EnableSSL3Fallback*
- GP path: *Windows Components/Internet Explorer/Security Features*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1420,14 +1457,14 @@ If you disable or do not configure this policy setting, the user can add and rem
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use Policy List of Internet Explorer 7 sites*
- GP name: *CompatView_UsePolicyList*
- GP path: *Windows Components/Internet Explorer/Compatibility View*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1485,14 +1522,14 @@ If you do not configure this policy setting, Internet Explorer uses an Internet
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Internet Explorer Standards Mode for local intranet*
- GP name: *CompatView_IntranetSites*
- GP path: *Windows Components/Internet Explorer/Compatibility View*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1554,14 +1591,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Zone Template*
- GP name: *IZ_PolicyInternetZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1623,14 +1660,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Intranet Zone Template*
- GP name: *IZ_PolicyIntranetZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1692,14 +1729,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Local Machine Zone Template*
- GP name: *IZ_PolicyLocalMachineZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1761,14 +1798,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Internet Zone Template*
- GP name: *IZ_PolicyInternetZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1830,14 +1867,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Intranet Zone Template*
- GP name: *IZ_PolicyIntranetZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1899,14 +1936,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Local Machine Zone Template*
- GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1968,14 +2005,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Restricted Sites Zone Template*
- GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2031,14 +2068,14 @@ If you disable or do not configure this policy setting, Internet Explorer does n
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Go to an intranet site for a one-word entry in the Address bar*
- GP name: *UseIntranetSiteForOneWordEntry*
- GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2084,9 +2121,9 @@ This policy setting allows you to manage a list of sites that you want to associ
Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
-If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
+If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
-Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
+Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter http://www.contoso.com as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
@@ -2100,14 +2137,14 @@ If you disable or do not configure this policy, users may choose their own site-
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Site to Zone Assignment List*
- GP name: *IZ_Zonemaps*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2149,6 +2186,13 @@ ADMX Info:
+This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file.
+
+If you enable this policy setting, users will be prompted to install or run files with an invalid signature.
+
+If you disable this policy setting, users cannot run or install files with an invalid signature.
+
+If you do not configure this policy, users can choose to run or install files with an invalid signature.
> [!TIP]
@@ -2158,14 +2202,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow software to run or install even if the signature is invalid*
- GP name: *Advanced_InvalidSignatureBlock*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2207,9 +2251,9 @@ ADMX Info:
-This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.
+This policy setting controls the Suggested Sites feature, which recommends websites based on the user’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft to suggest sites that the user might want to visit.
-If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.
+If you enable this policy setting, the user is not prompted to enable Suggested Sites. The user’s browsing history is sent to Microsoft to produce suggestions.
If you disable this policy setting, the entry points and functionality associated with this feature are turned off.
@@ -2223,14 +2267,14 @@ If you do not configure this policy setting, the user can turn on and turn off t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Suggested Sites*
- GP name: *EnableSuggestedSites*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2292,14 +2336,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Trusted Sites Zone Template*
- GP name: *IZ_PolicyTrustedSitesZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2361,14 +2405,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Trusted Sites Zone Template*
- GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2430,14 +2474,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Restricted Sites Zone Template*
- GP name: *IZ_PolicyRestrictedSitesZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2479,6 +2523,13 @@ ADMX Info:
+This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.
+
+If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked.
+
+If you disable this policy setting, Internet Explorer will not check server certificates to see if they have been revoked.
+
+If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked.
> [!TIP]
@@ -2488,14 +2539,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Check for server certificate revocation*
- GP name: *Advanced_CertificateRevocation*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2537,6 +2588,13 @@ ADMX Info:
+This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs.
+
+If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers.
+
+If you disable this policy setting, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers.
+
+If you do not configure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers.
> [!TIP]
@@ -2546,14 +2604,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Check for signatures on downloaded programs*
- GP name: *Advanced_DownloadSignatures*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2595,6 +2653,15 @@ ADMX Info:
+Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server.
+
+This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension.
+
+If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files.
+
+If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files.
+
+If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files.
> [!TIP]
@@ -2604,14 +2671,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
-- GP name: *IESF_PolicyExplorerProcesses_2*
-- GP path: *Windows Components/Internet Explorer/Security Features/Binary Behavior Security Restriction*
+- GP name: *IESF_PolicyExplorerProcesses_5*
+- GP path: *Windows Components/Internet Explorer/Security Features/Consistent Mime Handling*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2669,14 +2736,14 @@ Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects*
- GP name: *DisableFlashInIE*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2732,14 +2799,14 @@ If you disable or do not configure this policy setting, the user can bypass Smar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent bypassing SmartScreen Filter warnings*
- GP name: *DisableSafetyFilterOverride*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2795,14 +2862,14 @@ If you disable or do not configure this policy setting, the user can bypass Smar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet*
- GP name: *DisableSafetyFilterOverrideForAppRepUnknown*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2844,6 +2911,11 @@ ADMX Info:
+This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, from the Menu bar, on the Tools menu, click Internet Options, click the General tab, and then click Settings under Browsing history.
+
+If you enable this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete browsing history.
+
+If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history.
> [!TIP]
@@ -2853,14 +2925,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable "Configuring History"*
- GP name: *RestrictHistory*
- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2902,6 +2974,11 @@ ADMX Info:
+This policy setting allows you to manage the crash detection feature of add-on Management.
+
+If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.
+
+If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional.
> [!TIP]
@@ -2911,14 +2988,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Crash Detection*
- GP name: *AddonManagement_RestrictCrashDetection*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2976,14 +3053,14 @@ If you do not configure this policy setting, the user can choose to participate
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent participation in the Customer Experience Improvement Program*
- GP name: *SQM_DisableCEIP*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3025,6 +3102,15 @@ ADMX Info:
+This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in the Delete Browsing History dialog box.
+
+If you enable this policy setting, websites that the user has visited are preserved when he or she clicks Delete.
+
+If you disable this policy setting, websites that the user has visited are deleted when he or she clicks Delete.
+
+If you do not configure this policy setting, the user can choose whether to delete or preserve visited websites when he or she clicks Delete.
+
+If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
> [!TIP]
@@ -3034,14 +3120,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent deleting websites that the user has visited*
- GP name: *DBHDisableDeleteHistory*
- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3097,14 +3183,14 @@ If you disable or do not configure this policy setting, the user can set the Fee
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent downloading of enclosures*
- GP name: *Disable_Downloading_of_Enclosures*
- GP path: *Windows Components/RSS Feeds*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3146,7 +3232,7 @@ ADMX Info:
-This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.
+This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match.
If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.
@@ -3162,14 +3248,14 @@ Note: SSL 2.0 is off by default and is no longer supported starting with Windows
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off encryption support*
- GP name: *Advanced_SetWinInetProtocols*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3214,8 +3300,8 @@ ADMX Info:
This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
If you enable this policy setting, you must make one of the following choices:
-Skip the First Run wizard, and go directly to the user's home page.
-Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.
+- Skip the First Run wizard, and go directly to the user's home page.
+- Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.
Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.
@@ -3229,14 +3315,14 @@ If you disable or do not configure this policy setting, Internet Explorer may ru
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent running First Run wizard*
- GP name: *NoFirstRunCustomise*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3296,14 +3382,14 @@ If you don't configure this setting, users can turn this behavior on or off, usi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the flip ahead with page prediction feature*
- GP name: *Advanced_DisableFlipAhead*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3358,14 +3444,14 @@ If you disable or do not configure this policy setting, the Home page box is ena
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable changing home page settings*
- GP name: *RestrictHomePage*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3407,6 +3493,11 @@ ADMX Info:
+This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.
+
+If you enable this policy setting, the user cannot continue browsing.
+
+If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing.
> [!TIP]
@@ -3416,14 +3507,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent ignoring certificate errors*
- GP name: *NoCertError*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3465,6 +3556,15 @@ ADMX Info:
+This policy setting allows you to turn off the InPrivate Browsing feature.
+
+InPrivate Browsing prevents Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other data.
+
+If you enable this policy setting, InPrivate Browsing is turned off.
+
+If you disable this policy setting, InPrivate Browsing is available for use.
+
+If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry.
> [!TIP]
@@ -3474,14 +3574,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off InPrivate Browsing*
- GP name: *DisableInPrivateBrowsing*
- GP path: *Windows Components/Internet Explorer/Privacy*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3523,6 +3623,15 @@ ADMX Info:
+This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
+
+Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used.
+
+If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
+
+If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
+
+If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.
> [!TIP]
@@ -3532,14 +3641,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows*
- GP name: *Advanced_EnableEnhancedProtectedMode64Bit*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3595,14 +3704,14 @@ If you disable or do not configure this policy setting, the user can configure p
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent changing proxy settings*
- GP name: *RestrictProxy*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3658,14 +3767,14 @@ If you disable or do not configure this policy setting, the user can change the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent changing the default search provider*
- GP name: *NoSearchProvider*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3713,7 +3822,7 @@ If you enable this policy setting, you can specify which default home pages shou
If you disable or do not configure this policy setting, the user can add secondary home pages.
-Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
+Note: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages.
> [!TIP]
@@ -3723,14 +3832,14 @@ Note: If the Disable Changing Home Page Settings policy is enabled, the user can
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable changing secondary home page settings*
- GP name: *SecondaryHomePages*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3772,6 +3881,11 @@ ADMX Info:
+This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.
+
+If you enable this policy setting, the feature is turned off.
+
+If you disable or do not configure this policy setting, the feature is turned on.
> [!TIP]
@@ -3781,14 +3895,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the Security Settings Check feature*
- GP name: *Disable_Security_Settings_Check*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3845,14 +3959,14 @@ This policy is intended to help the administrator maintain version control for I
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable Periodic Check for Internet Explorer software updates*
- GP name: *NoUpdateCheck*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3894,6 +4008,15 @@ ADMX Info:
+This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode.
+
+Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
+
+When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.
+
+If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced Protected Mode.
+
+If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior.
> [!TIP]
@@ -3903,14 +4026,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled*
- GP name: *Advanced_DisableEPMCompat*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3971,14 +4094,14 @@ Also, see the "Security zones: Use only machine settings" policy.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Security Zones: Do not allow users to add/delete sites*
- GP name: *Security_zones_map_edit*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4039,14 +4162,14 @@ Also, see the "Security zones: Use only machine settings" policy.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Security Zones: Do not allow users to change policies*
- GP name: *Security_options_edit*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4104,14 +4227,14 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
- GP name: *VerMgmtDisable*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4173,14 +4296,14 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains*
- GP name: *VerMgmtDomainAllowlist*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4238,14 +4361,14 @@ If you do not configure this policy setting, users choose whether to force local
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Intranet Sites: Include all local (intranet) sites not listed in other zones*
- GP name: *IZ_IncludeUnspecifiedLocalSites*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4303,14 +4426,14 @@ If you do not configure this policy setting, users choose whether network paths
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Intranet Sites: Include all network paths (UNCs)*
- GP name: *IZ_UNCAsIntranet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4368,14 +4491,14 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4433,14 +4556,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4496,14 +4619,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4545,6 +4668,15 @@ ADMX Info:
+This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
+
+If you enable this policy setting, a script can perform a clipboard operation.
+
+If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.
+
+If you disable this policy setting, a script cannot perform a clipboard operation.
+
+If you do not configure this policy setting, a script can perform a clipboard operation.
> [!TIP]
@@ -4554,14 +4686,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow cut, copy or paste operations from the clipboard via script*
- GP name: *IZ_PolicyAllowPasteViaScript_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4603,6 +4735,13 @@ ADMX Info:
+This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.
+
+If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.
+
+If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.
+
+If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically.
> [!TIP]
@@ -4612,14 +4751,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow drag and drop or copy and paste files*
- GP name: *IZ_PolicyDropOrPasteFiles_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4677,14 +4816,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4742,14 +4881,14 @@ If you do not configure this policy setting, Web sites from less privileged zone
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4791,6 +4930,13 @@ ADMX Info:
+This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.
+
+If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files.
+
+If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.
+
+If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.
> [!TIP]
@@ -4800,14 +4946,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow loading of XAML files*
- GP name: *IZ_Policy_XAML_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4865,14 +5011,14 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4914,6 +5060,11 @@ ADMX Info:
+This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
+
+If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites.
+
+If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
> [!TIP]
@@ -4923,14 +5074,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use ActiveX controls without prompt*
- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4972,6 +5123,11 @@ ADMX Info:
+This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.
+
+If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone.
+
+If you disable this policy setting, the TDC Active X control will run from all sites in this zone.
> [!TIP]
@@ -4981,14 +5137,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use the TDC ActiveX control*
- GP name: *IZ_PolicyAllowTDCControl_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5030,6 +5186,13 @@ ADMX Info:
+This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.
+
+If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.
+
+If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
+
+If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
> [!TIP]
@@ -5039,14 +5202,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow script-initiated windows without size or position constraints*
- GP name: *IZ_PolicyWindowsRestrictionsURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5088,6 +5251,13 @@ ADMX Info:
+This policy setting determines whether a page can control embedded WebBrowser controls via script.
+
+If you enable this policy setting, script access to the WebBrowser control is allowed.
+
+If you disable this policy setting, script access to the WebBrowser control is not allowed.
+
+If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.
> [!TIP]
@@ -5097,14 +5267,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scripting of Internet Explorer WebBrowser controls*
- GP name: *IZ_Policy_WebBrowserControl_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5162,14 +5332,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5229,14 +5399,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5278,6 +5448,11 @@ ADMX Info:
+This policy setting allows you to manage whether script is allowed to update the status bar within the zone.
+
+If you enable this policy setting, script is allowed to update the status bar.
+
+If you disable or do not configure this policy setting, script is not allowed to update the status bar.
> [!TIP]
@@ -5287,14 +5462,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow updates to status bar via script*
- GP name: *IZ_Policy_ScriptStatusBar_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5352,14 +5527,58 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
+
+
+
+
+
+**InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.
+
+If you selected Enable in the drop-down box, VBScript can run without user intervention.
+
+If you selected Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.
+
+If you selected Disable in the drop-down box, VBScript is prevented from running.
+
+If you do not configure or disable this policy setting, VBScript is prevented from running.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow VBScript to run in Internet Explorer*
+- GP name: *IZ_PolicyAllowVBScript_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
+- GP ADMX file name: *inetres.admx*
+
+
@@ -5401,6 +5620,13 @@ ADMX Info:
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
> [!TIP]
@@ -5410,14 +5636,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5459,6 +5685,13 @@ ADMX Info:
+This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.
+
+If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
+
+If you disable the policy setting, signed controls cannot be downloaded.
+
+If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
> [!TIP]
@@ -5468,14 +5701,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download signed ActiveX controls*
- GP name: *IZ_PolicyDownloadSignedActiveX_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5517,6 +5750,13 @@ ADMX Info:
+This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
+
+If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
+
+If you disable this policy setting, users cannot run unsigned controls.
+
+If you do not configure this policy setting, users cannot run unsigned controls.
> [!TIP]
@@ -5526,14 +5766,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download unsigned ActiveX controls*
- GP name: *IZ_PolicyDownloadUnsignedActiveX_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5575,6 +5815,11 @@ ADMX Info:
+This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
+
+If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.
+
+If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.
> [!TIP]
@@ -5584,14 +5829,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Cross-Site Scripting Filter*
- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5633,6 +5878,15 @@ ADMX Info:
+This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.
+
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
+
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting.
+
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.
+
+In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
> [!TIP]
@@ -5642,14 +5896,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains across windows*
- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5691,6 +5945,15 @@ ADMX Info:
+This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.
+
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting.
+
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
+
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.
+
+In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
> [!TIP]
@@ -5700,14 +5963,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains within a window*
- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5749,6 +6012,13 @@ ADMX Info:
+This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.
+
+If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature.
+
+If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.
+
+If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone.
> [!TIP]
@@ -5758,14 +6028,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable MIME Sniffing*
- GP name: *IZ_PolicyMimeSniffingURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5807,6 +6077,13 @@ ADMX Info:
+This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
+
+If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode.
+
+If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode.
+
+If you do not configure this policy setting, the user can turn on or turn off Protected Mode.
> [!TIP]
@@ -5816,14 +6093,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Protected Mode*
- GP name: *IZ_Policy_TurnOnProtectedMode_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5865,6 +6142,13 @@ ADMX Info:
+This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
+
+If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form.
+
+If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form.
+
+If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.
> [!TIP]
@@ -5874,14 +6158,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Include local path when user is uploading files to a server*
- GP name: *IZ_Policy_LocalPathForUpload_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5941,14 +6225,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6023,6 +6307,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, the permission is set to High Safety.
> [!TIP]
@@ -6032,14 +6329,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6081,6 +6378,13 @@ ADMX Info:
+This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
+
+If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
+
+If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
+
+If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
> [!TIP]
@@ -6090,14 +6394,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Launching applications and files in an IFRAME*
- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6139,6 +6443,21 @@ ADMX Info:
+This policy setting allows you to manage settings for logon options.
+
+If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.
+
+If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone.
> [!TIP]
@@ -6148,14 +6467,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Logon options*
- GP name: *IZ_PolicyLogon_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6213,14 +6532,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6262,6 +6581,13 @@ ADMX Info:
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
+
+If you disable this policy setting, Internet Explorer will not execute signed managed components.
+
+If you do not configure this policy setting, Internet Explorer will execute signed managed components.
> [!TIP]
@@ -6271,14 +6597,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components signed with Authenticode*
- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6320,6 +6646,13 @@ ADMX Info:
+This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
+
+If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.
+
+If you disable this policy setting, these files do not open.
+
+If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
> [!TIP]
@@ -6329,14 +6662,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Show security warning for potentially unsafe files*
- GP name: *IZ_Policy_UnsafeFiles_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6378,6 +6711,13 @@ ADMX Info:
+This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
+
+If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.
+
+If you disable this policy setting, pop-up windows are not prevented from appearing.
+
+If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.
> [!TIP]
@@ -6387,14 +6727,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use Pop-up Blocker*
- GP name: *IZ_PolicyBlockPopupWindows_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6452,14 +6792,14 @@ If you do not configure this policy setting, users are queried to choose whether
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6517,14 +6857,14 @@ If you do not configure this policy setting, users will receive a prompt when a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6580,14 +6920,14 @@ If you disable or do not configure this setting, users will receive a file downl
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6645,14 +6985,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6710,14 +7050,14 @@ If you do not configure this policy setting, Web sites from less privileged zone
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6775,14 +7115,14 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6840,14 +7180,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6907,14 +7247,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6972,14 +7312,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7021,6 +7361,13 @@ ADMX Info:
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
> [!TIP]
@@ -7030,14 +7377,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7097,14 +7444,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7146,6 +7493,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, the permission is set to Medium Safety.
> [!TIP]
@@ -7155,14 +7515,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7220,14 +7580,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7285,14 +7645,14 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7350,14 +7710,14 @@ If you do not configure this policy setting, users will receive a prompt when a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7413,14 +7773,14 @@ If you disable or do not configure this setting, users will receive a file downl
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7478,14 +7838,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7543,14 +7903,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7608,14 +7968,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7673,14 +8033,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7740,14 +8100,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7805,14 +8165,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7854,6 +8214,13 @@ ADMX Info:
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
> [!TIP]
@@ -7863,14 +8230,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7930,14 +8297,14 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7979,6 +8346,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, the permission is set to Medium Safety.
> [!TIP]
@@ -7988,14 +8368,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8053,14 +8433,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8118,14 +8498,14 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8183,14 +8563,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8246,14 +8626,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8311,14 +8691,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8376,14 +8756,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8441,14 +8821,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8506,14 +8886,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8573,14 +8953,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8638,14 +9018,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8705,14 +9085,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8754,6 +9134,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
@@ -8763,14 +9156,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8828,14 +9221,62 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
+
+
+
+
+
+**InternetExplorer/LockedDownIntranetJavaPermissions**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Java permissions*
+- GP name: *IZ_PolicyJavaPermissions_4*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
+- GP ADMX file name: *inetres.admx*
+
+
@@ -8893,14 +9334,14 @@ If you do not configure this policy setting, users are queried to choose whether
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8958,14 +9399,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9021,14 +9462,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9086,14 +9527,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9151,14 +9592,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9216,14 +9657,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9281,14 +9722,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9348,14 +9789,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9413,14 +9854,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9480,14 +9921,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9545,14 +9986,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9610,14 +10051,14 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9675,14 +10116,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9738,14 +10179,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9803,14 +10244,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9868,14 +10309,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9933,14 +10374,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9998,14 +10439,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10065,14 +10506,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10130,14 +10571,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10197,14 +10638,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10246,6 +10687,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
@@ -10255,14 +10709,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10320,14 +10774,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10385,14 +10839,14 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10450,14 +10904,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10513,14 +10967,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10578,14 +11032,14 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10643,14 +11097,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10708,14 +11162,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10773,14 +11227,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10840,14 +11294,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10905,14 +11359,14 @@ If you do not configure this policy setting, users cannot preserve information i
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10972,14 +11426,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11021,6 +11475,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
@@ -11030,14 +11497,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11095,14 +11562,14 @@ If you do not configure this policy setting, users cannot open other windows and
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11160,14 +11627,14 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11225,14 +11692,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11288,14 +11755,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11353,14 +11820,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11418,14 +11885,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11483,14 +11950,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11548,14 +12015,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11615,14 +12082,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11680,14 +12147,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11747,14 +12214,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11796,6 +12263,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
@@ -11805,14 +12285,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11870,14 +12350,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11919,6 +12399,13 @@ ADMX Info:
+The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail.
+
+If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.
+
+If you disable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes.
+
+If you do not configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.
> [!TIP]
@@ -11928,14 +12415,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_3*
- GP path: *Windows Components/Internet Explorer/Security Features/MK Protocol Security Restriction*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11977,6 +12464,13 @@ ADMX Info:
+This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type.
+
+If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
+
+If you disable this policy setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type.
+
+If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
> [!TIP]
@@ -11986,14 +12480,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_6*
- GP path: *Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12035,6 +12529,13 @@ ADMX Info:
+This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes.
+
+If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes.
+
+If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes.
+
+If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes.
> [!TIP]
@@ -12044,14 +12545,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_10*
- GP path: *Windows Components/Internet Explorer/Security Features/Notification bar*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12093,6 +12594,11 @@ ADMX Info:
+This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware.
+
+If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.
+
+If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.
> [!TIP]
@@ -12102,14 +12608,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent managing SmartScreen Filter*
- GP name: *Disable_Managing_Safety_Filter_IE9*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12151,6 +12657,11 @@ ADMX Info:
+This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.
+
+If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis.
+
+If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis.
> [!TIP]
@@ -12160,14 +12671,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent per-user installation of ActiveX controls*
- GP name: *DisablePerUserActiveXInstall*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12209,6 +12720,13 @@ ADMX Info:
+Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.
+
+If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.
+
+If you disable this policy setting, no zone receives such protection for Internet Explorer processes.
+
+If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.
> [!TIP]
@@ -12218,14 +12736,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
-- GP English name: *All Processes*
-- GP name: *IESF_PolicyAllProcesses_9*
+- GP English name: *Internet Explorer Processes*
+- GP name: *IESF_PolicyExplorerProcesses_9*
- GP path: *Windows Components/Internet Explorer/Security Features/Protection From Zone Elevation*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12267,6 +12785,13 @@ ADMX Info:
+This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer.
+
+If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.
+
+If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.
+
+For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
> [!TIP]
@@ -12276,14 +12801,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
- GP name: *VerMgmtDisableRunThisTime*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12325,6 +12850,13 @@ ADMX Info:
+This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.
+
+If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes.
+
+If you disable this policy setting, prompting for ActiveX control installations will not be blocked for Internet Explorer processes.
+
+If you do not configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes.
> [!TIP]
@@ -12334,14 +12866,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
-- GP English name: *All Processes*
-- GP name: *IESF_PolicyAllProcesses_11*
+- GP English name: *Internet Explorer Processes*
+- GP name: *IESF_PolicyExplorerProcesses_11*
- GP path: *Windows Components/Internet Explorer/Security Features/Restrict ActiveX Install*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12383,6 +12915,13 @@ ADMX Info:
+This policy setting enables blocking of file download prompts that are not user initiated.
+
+If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes.
+
+If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes.
+
+If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes.
> [!TIP]
@@ -12392,14 +12931,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
-- GP English name: *All Processes*
-- GP name: *IESF_PolicyAllProcesses_12*
+- GP English name: *Internet Explorer Processes*
+- GP name: *IESF_PolicyExplorerProcesses_12*
- GP path: *Windows Components/Internet Explorer/Security Features/Restrict File Download*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12457,14 +12996,14 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12506,6 +13045,13 @@ ADMX Info:
+This policy setting allows you to manage whether script code on pages in the zone is run.
+
+If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.
+
+If you disable this policy setting, script code on pages in the zone is prevented from running.
+
+If you do not configure this policy setting, script code on pages in the zone is prevented from running.
> [!TIP]
@@ -12515,14 +13061,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow active scripting*
- GP name: *IZ_PolicyActiveScripting_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12580,14 +13126,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12643,14 +13189,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12692,6 +13238,13 @@ ADMX Info:
+This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.
+
+If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.
+
+If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.
+
+If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.
> [!TIP]
@@ -12701,14 +13254,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow binary and script behaviors*
- GP name: *IZ_PolicyBinaryBehaviors_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12750,6 +13303,15 @@ ADMX Info:
+This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
+
+If you enable this policy setting, a script can perform a clipboard operation.
+
+If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.
+
+If you disable this policy setting, a script cannot perform a clipboard operation.
+
+If you do not configure this policy setting, a script cannot perform a clipboard operation.
> [!TIP]
@@ -12759,14 +13321,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow cut, copy or paste operations from the clipboard via script*
- GP name: *IZ_PolicyAllowPasteViaScript_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12808,6 +13370,13 @@ ADMX Info:
+This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.
+
+If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.
+
+If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.
+
+If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone.
> [!TIP]
@@ -12817,14 +13386,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow drag and drop or copy and paste files*
- GP name: *IZ_PolicyDropOrPasteFiles_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12866,6 +13435,13 @@ ADMX Info:
+This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.
+
+If you enable this policy setting, files can be downloaded from the zone.
+
+If you disable this policy setting, files are prevented from being downloaded from the zone.
+
+If you do not configure this policy setting, files are prevented from being downloaded from the zone.
> [!TIP]
@@ -12875,14 +13451,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow file downloads*
- GP name: *IZ_PolicyFileDownload_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12940,14 +13516,14 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13005,14 +13581,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13054,6 +13630,13 @@ ADMX Info:
+This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.
+
+If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files.
+
+If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.
+
+If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.
> [!TIP]
@@ -13063,14 +13646,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow loading of XAML files*
- GP name: *IZ_Policy_XAML_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13112,6 +13695,13 @@ ADMX Info:
+This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.
+
+If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.
+
+If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.
+
+If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.
> [!TIP]
@@ -13121,14 +13711,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow META REFRESH*
- GP name: *IZ_PolicyAllowMETAREFRESH_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13186,14 +13776,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13235,6 +13825,11 @@ ADMX Info:
+This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
+
+If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites.
+
+If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
> [!TIP]
@@ -13244,14 +13839,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use ActiveX controls without prompt*
- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13293,6 +13888,11 @@ ADMX Info:
+This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.
+
+If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone.
+
+If you disable this policy setting, the TDC Active X control will run from all sites in this zone.
> [!TIP]
@@ -13302,14 +13902,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use the TDC ActiveX control*
- GP name: *IZ_PolicyAllowTDCControl_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13351,6 +13951,13 @@ ADMX Info:
+This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.
+
+If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.
+
+If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
+
+If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
> [!TIP]
@@ -13360,14 +13967,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow script-initiated windows without size or position constraints*
- GP name: *IZ_PolicyWindowsRestrictionsURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13409,6 +14016,13 @@ ADMX Info:
+This policy setting determines whether a page can control embedded WebBrowser controls via script.
+
+If you enable this policy setting, script access to the WebBrowser control is allowed.
+
+If you disable this policy setting, script access to the WebBrowser control is not allowed.
+
+If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.
> [!TIP]
@@ -13418,14 +14032,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scripting of Internet Explorer WebBrowser controls*
- GP name: *IZ_Policy_WebBrowserControl_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13483,14 +14097,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13550,14 +14164,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13599,6 +14213,11 @@ ADMX Info:
+This policy setting allows you to manage whether script is allowed to update the status bar within the zone.
+
+If you enable this policy setting, script is allowed to update the status bar.
+
+If you disable or do not configure this policy setting, script is not allowed to update the status bar.
> [!TIP]
@@ -13608,14 +14227,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow updates to status bar via script*
- GP name: *IZ_Policy_ScriptStatusBar_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13673,14 +14292,58 @@ If you do not configure this policy setting, users cannot preserve information i
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
+
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.
+
+If you selected Enable in the drop-down box, VBScript can run without user intervention.
+
+If you selected Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.
+
+If you selected Disable in the drop-down box, VBScript is prevented from running.
+
+If you do not configure or disable this policy setting, VBScript is prevented from running.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow VBScript to run in Internet Explorer*
+- GP name: *IZ_PolicyAllowVBScript_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
+- GP ADMX file name: *inetres.admx*
+
+
@@ -13722,6 +14385,13 @@ ADMX Info:
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
> [!TIP]
@@ -13731,14 +14401,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13780,6 +14450,13 @@ ADMX Info:
+This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.
+
+If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
+
+If you disable the policy setting, signed controls cannot be downloaded.
+
+If you do not configure this policy setting, signed controls cannot be downloaded.
> [!TIP]
@@ -13789,14 +14466,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download signed ActiveX controls*
- GP name: *IZ_PolicyDownloadSignedActiveX_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13838,6 +14515,13 @@ ADMX Info:
+This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
+
+If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
+
+If you disable this policy setting, users cannot run unsigned controls.
+
+If you do not configure this policy setting, users cannot run unsigned controls.
> [!TIP]
@@ -13847,14 +14531,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download unsigned ActiveX controls*
- GP name: *IZ_PolicyDownloadUnsignedActiveX_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13896,6 +14580,11 @@ ADMX Info:
+This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
+
+If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.
+
+If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.
> [!TIP]
@@ -13905,14 +14594,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Cross-Site Scripting Filter*
- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13954,6 +14643,15 @@ ADMX Info:
+This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.
+
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
+
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting.
+
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.
+
+In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
> [!TIP]
@@ -13963,14 +14661,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains across windows*
- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14012,6 +14710,15 @@ ADMX Info:
+This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.
+
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting.
+
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
+
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.
+
+In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
> [!TIP]
@@ -14021,14 +14728,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains within a window*
- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14070,6 +14777,13 @@ ADMX Info:
+This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.
+
+If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature.
+
+If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.
+
+If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.
> [!TIP]
@@ -14079,14 +14793,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable MIME Sniffing*
- GP name: *IZ_PolicyMimeSniffingURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14128,6 +14842,13 @@ ADMX Info:
+This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
+
+If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form.
+
+If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form.
+
+If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.
> [!TIP]
@@ -14137,14 +14858,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Include local path when user is uploading files to a server*
- GP name: *IZ_Policy_LocalPathForUpload_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14204,14 +14925,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14253,6 +14974,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
@@ -14262,14 +14996,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14311,6 +15045,13 @@ ADMX Info:
+This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
+
+If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
+
+If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
+
+If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
> [!TIP]
@@ -14320,14 +15061,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Launching applications and files in an IFRAME*
- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14369,6 +15110,21 @@ ADMX Info:
+This policy setting allows you to manage settings for logon options.
+
+If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.
+
+If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+If you do not configure this policy setting, logon is set to Prompt for username and password.
> [!TIP]
@@ -14378,14 +15134,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Logon options*
- GP name: *IZ_PolicyLogon_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14443,14 +15199,14 @@ If you do not configure this policy setting, users cannot open other windows and
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14492,6 +15248,15 @@ ADMX Info:
+This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.
+
+If you enable this policy setting, controls and plug-ins can run without user intervention.
+
+If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.
+
+If you disable this policy setting, controls and plug-ins are prevented from running.
+
+If you do not configure this policy setting, controls and plug-ins are prevented from running.
> [!TIP]
@@ -14501,14 +15266,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run ActiveX controls and plugins*
- GP name: *IZ_PolicyRunActiveXControls_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14550,6 +15315,13 @@ ADMX Info:
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
+
+If you disable this policy setting, Internet Explorer will not execute signed managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute signed managed components.
> [!TIP]
@@ -14559,14 +15331,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components signed with Authenticode*
- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14608,6 +15380,15 @@ ADMX Info:
+This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.
+
+If you enable this policy setting, script interaction can occur automatically without user intervention.
+
+If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.
+
+If you disable this policy setting, script interaction is prevented from occurring.
+
+If you do not configure this policy setting, script interaction is prevented from occurring.
> [!TIP]
@@ -14617,14 +15398,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Script ActiveX controls marked safe for scripting*
- GP name: *IZ_PolicyScriptActiveXMarkedSafe_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14666,6 +15447,15 @@ ADMX Info:
+This policy setting allows you to manage whether applets are exposed to scripts within the zone.
+
+If you enable this policy setting, scripts can access applets automatically without user intervention.
+
+If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.
+
+If you disable this policy setting, scripts are prevented from accessing applets.
+
+If you do not configure this policy setting, scripts are prevented from accessing applets.
> [!TIP]
@@ -14675,14 +15465,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Scripting of Java applets*
- GP name: *IZ_PolicyScriptingOfJavaApplets_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14724,6 +15514,13 @@ ADMX Info:
+This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
+
+If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.
+
+If you disable this policy setting, these files do not open.
+
+If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
> [!TIP]
@@ -14733,14 +15530,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Show security warning for potentially unsafe files*
- GP name: *IZ_Policy_UnsafeFiles_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14782,6 +15579,13 @@ ADMX Info:
+This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
+
+If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode.
+
+If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode.
+
+If you do not configure this policy setting, the user can turn on or turn off Protected Mode.
> [!TIP]
@@ -14791,14 +15595,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Protected Mode*
- GP name: *IZ_Policy_TurnOnProtectedMode_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14840,6 +15644,13 @@ ADMX Info:
+This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
+
+If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.
+
+If you disable this policy setting, pop-up windows are not prevented from appearing.
+
+If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.
> [!TIP]
@@ -14849,14 +15660,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use Pop-up Blocker*
- GP name: *IZ_PolicyBlockPopupWindows_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14898,6 +15709,13 @@ ADMX Info:
+Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.
+
+If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.
+
+If you disable this policy setting, scripts can continue to create popup windows and windows that obfuscate other windows.
+
+If you do not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.
> [!TIP]
@@ -14907,14 +15725,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
-- GP English name: *All Processes*
-- GP name: *IESF_PolicyAllProcesses_8*
+- GP English name: *Internet Explorer Processes*
+- GP name: *IESF_PolicyExplorerProcesses_8*
- GP path: *Windows Components/Internet Explorer/Security Features/Scripted Window Security Restrictions*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14970,14 +15788,14 @@ If you disable or do not configure this policy setting, the user can configure h
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Restrict search providers to a specific list*
- GP name: *SpecificSearchProvider*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15018,6 +15836,15 @@ ADMX Info:
+Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level.
+
+If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer.
+
+If you disable this policy or do not configure it, users of the same computer can establish their own security zone settings.
+
+This policy is intended to ensure that security zone settings apply uniformly to the same computer and do not vary from user to user.
+
+Also, see the "Security zones: Do not allow users to change policies" policy.
> [!TIP]
@@ -15027,14 +15854,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Security Zones: Use only machine settings *
- GP name: *Security_HKLM_only*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15076,6 +15903,11 @@ ADMX Info:
+This policy setting allows you to specify how ActiveX controls are installed.
+
+If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls.
+
+If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process.
> [!TIP]
@@ -15085,14 +15917,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify use of ActiveX Installer Service for installation of ActiveX controls*
- GP name: *OnlyUseAXISForActiveXInstall*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15150,14 +15982,14 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15215,14 +16047,14 @@ If you do not configure this policy setting, users will receive a prompt when a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15278,14 +16110,14 @@ If you disable or do not configure this setting, users will receive a file downl
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15343,14 +16175,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15408,14 +16240,14 @@ If you do not configure this policy setting, a warning is issued to the user tha
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15473,14 +16305,14 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15538,14 +16370,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15605,14 +16437,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15670,14 +16502,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15719,6 +16551,13 @@ ADMX Info:
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
> [!TIP]
@@ -15728,14 +16567,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15795,14 +16634,14 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15844,6 +16683,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, the permission is set to Low Safety.
> [!TIP]
@@ -15853,14 +16705,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15918,14 +16770,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15934,6 +16786,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 361a19a81c..974db5f350 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Kerberos
@@ -89,14 +89,14 @@ If you disable or do not configure this policy setting, the Kerberos client does
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use forest search order*
- GP name: *ForestSearch*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
+
@@ -137,7 +137,7 @@ ADMX Info:
-This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
+This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
@@ -150,14 +150,14 @@ If you disable or do not configure this policy setting, the client devices will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
+
@@ -202,9 +202,9 @@ This policy setting controls whether a computer requires that Kerberos message e
Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
-If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
+If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
-Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
+Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
@@ -216,14 +216,14 @@ If you disable or do not configure this policy setting, the client computers in
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Fail authentication requests when Kerberos armoring is not available*
- GP name: *ClientRequireFast*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
+
@@ -264,7 +264,7 @@ ADMX Info:
-This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
+This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
@@ -278,14 +278,14 @@ If you disable or do not configure this policy setting, the Kerberos client requ
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require strict KDC validation*
- GP name: *ValidateKDC*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
+
@@ -328,11 +328,11 @@ ADMX Info:
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
-The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
+The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
-If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
+If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
@@ -344,14 +344,14 @@ Note: This policy setting configures the existing MaxTokenSize registry value in
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set maximum Kerberos SSPI context token buffer size*
- GP name: *MaxTokenSize*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
+
@@ -360,6 +360,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index 6606c038b3..27f995e4d9 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - KioskBrowser
@@ -81,7 +81,7 @@ ms.date: 01/30/2018
-Added in Windows 10, next major update. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
@@ -125,7 +125,7 @@ Added in Windows 10, next major update. List of exceptions to the blocked websit
-Added in Windows 10, next major update. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
+Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
@@ -169,7 +169,7 @@ Added in Windows 10, next major update. List of blocked website URLs (with wildc
-Added in Windows 10, next major update. Configures the default URL kiosk browsers to navigate on launch and restart.
+Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart.
@@ -213,7 +213,7 @@ Added in Windows 10, next major update. Configures the default URL kiosk browser
-Added in Windows 10, next major update. Enable/disable kiosk browser's home button.
+Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
@@ -257,7 +257,7 @@ Added in Windows 10, next major update. Enable/disable kiosk browser's home butt
-Added in Windows 10, next major update. Enable/disable kiosk browser's navigation buttons (forward/back).
+Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back).
@@ -301,7 +301,7 @@ Added in Windows 10, next major update. Enable/disable kiosk browser's navigatio
-Added in Windows 10, next major update. Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+Added in Windows 10, version 1803. Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser.
@@ -314,6 +314,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index 66109605f7..eae5cdc5d7 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Licensing
@@ -69,6 +69,14 @@ ms.date: 01/30/2018
Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
+
+ADMX Info:
+- GP English name: *Control Device Reactivation for Retail devices*
+- GP name: *AllowWindowsEntitlementReactivation*
+- GP path: *Windows Components/Software Protection Platform*
+- GP ADMX file name: *AVSValidationGP.admx*
+
+
The following list shows the supported values:
@@ -119,6 +127,14 @@ The following list shows the supported values:
Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
+
+ADMX Info:
+- GP English name: *Turn off KMS Client Online AVS Validation*
+- GP name: *NoAcquireGT*
+- GP path: *Windows Components/Software Protection Platform*
+- GP ADMX file name: *AVSValidationGP.admx*
+
+
The following list shows the supported values:
@@ -134,6 +150,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index f67234078a..27c960d639 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - LocalPoliciesSecurityOptions
@@ -238,6 +238,12 @@ If you disable or do not configure this policy (recommended), users will be able
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Accounts: Block Microsoft accounts*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
The following list shows the supported values:
@@ -297,6 +303,12 @@ Default: Disabled.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Accounts: Administrator account status*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - local Administrator account is disabled
@@ -352,6 +364,12 @@ Note: If the Guest account is disabled and the security option Network Access: S
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Accounts: Guest account status*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - local Guest account is disabled
@@ -415,6 +433,12 @@ It is possible for applications that use remote interactive logons to bypass thi
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Accounts: Limit local account use of blank passwords to console logon only*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console
@@ -470,6 +494,12 @@ Default: Administrator.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Accounts: Rename administrator account*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -519,6 +549,12 @@ Default: Guest.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Accounts: Rename guest account*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -569,6 +605,12 @@ Caution:
Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
+
+GP Info:
+- GP English name: *Devices: Allow undock without having to log on*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -619,6 +661,12 @@ This security setting determines who is allowed to format and eject removable NT
Default: This policy is not defined and only Administrators have this ability.
+
+GP Info:
+- GP English name: *Devices: Allowed to format and eject removable media*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -671,6 +719,12 @@ Note
This setting does not affect the ability to add a local printer. This setting does not affect Administrators.
+
+GP Info:
+- GP English name: *Devices: Prevent users from installing printer drivers*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -720,6 +774,12 @@ If this policy is enabled, it allows only the interactively logged-on user to ac
Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
+
+GP Info:
+- GP English name: *Devices: Restrict CD-ROM access to locally logged-on user only*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -780,6 +840,12 @@ If this policy is enabled, the policy Domain member: Digitally sign secure chann
Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+GP Info:
+- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -837,6 +903,12 @@ There is no known reason for disabling this setting. Besides unnecessarily reduc
Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+GP Info:
+- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -888,6 +960,12 @@ This setting determines whether or not the domain member attempts to negotiate s
Default: Enabled.
+
+GP Info:
+- GP English name: *Domain member: Digitally sign secure channel data (when possible)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -940,6 +1018,12 @@ This security setting should not be enabled. Computer account passwords are used
This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+GP Info:
+- GP English name: *Domain member: Disable machine account password changes*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -991,6 +1075,12 @@ Important
This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
+
+GP Info:
+- GP English name: *Domain member: Maximum machine account password age*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1053,6 +1143,12 @@ In order to take advantage of this policy on member workstations and servers, al
In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
+
+GP Info:
+- GP English name: *Domain member: Require strong (Windows 2000 or later) session key*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1099,6 +1195,12 @@ Interactive Logon:Display user information when the session is locked
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Display user information when the session is locked*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 1 - User display name, domain and user names
@@ -1158,6 +1260,12 @@ Default: Disabled.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Don't display last signed-in*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled (username will be shown)
@@ -1217,6 +1325,12 @@ Default: Disabled.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Don't display username at sign-in*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled (username will be shown)
@@ -1277,6 +1391,12 @@ Default on stand-alone computers: Enabled.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Do not require CTRL+ALT+DEL*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled
@@ -1332,6 +1452,12 @@ Default: not enforced.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Machine inactivity limit*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled
@@ -1389,6 +1515,12 @@ Default: No message.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Message text for users attempting to log on*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1438,6 +1570,12 @@ Default: No message.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Message title for users attempting to log on*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1502,6 +1640,12 @@ Default: This policy is not defined, which means that the system treats it as No
On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
+
+GP Info:
+- GP English name: *Interactive logon: Smart card removal behavior*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1567,6 +1711,12 @@ SMB packet signing can significantly degrade SMB performance, depending on diale
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+GP Info:
+- GP English name: *Microsoft network client: Digitally sign communications (always)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1629,6 +1779,12 @@ SMB packet signing can significantly degrade SMB performance, depending on diale
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+GP Info:
+- GP English name: *Microsoft network client: Digitally sign communications (if server agrees)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1678,6 +1834,12 @@ Sending unencrypted passwords is a security risk.
Default: Disabled.
+
+GP Info:
+- GP English name: *Microsoft network client: Send unencrypted password to third-party SMB servers*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1729,6 +1891,12 @@ For this policy setting, a value of 0 means to disconnect an idle session as qui
Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+GP Info:
+- GP English name: *Microsoft network server: Amount of idle time required before suspending session*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1803,6 +1971,12 @@ HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecurity
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+GP Info:
+- GP English name: *Microsoft network server: Digitally sign communications (always)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1869,6 +2043,12 @@ SMB packet signing can significantly degrade SMB performance, depending on diale
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+GP Info:
+- GP English name: *Microsoft network server: Digitally sign communications (if client agrees)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1928,6 +2108,12 @@ Important
This policy has no impact on domain controllers.
+
+GP Info:
+- GP English name: *Network access: Do not allow anonymous enumeration of SAM accounts*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1977,6 +2163,12 @@ Windows allows anonymous users to perform certain activities, such as enumeratin
Default: Disabled.
+
+GP Info:
+- GP English name: *Network access: Do not allow anonymous enumeration of SAM accounts and shares*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2077,6 +2269,12 @@ Network access: Shares that can be accessed anonymously
Default: Enabled.
+
+GP Info:
+- GP English name: *Network access: Restrict anonymous access to Named Pipes and Shares*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2126,6 +2324,12 @@ If not selected, the default security descriptor will be used.
This policy is supported on at least Windows Server 2016.
+
+GP Info:
+- GP English name: *Network access: Restrict clients allowed to make remote calls to SAM*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2231,6 +2435,12 @@ This policy will be turned off by default on domain joined machines. This would
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Network security: Allow PKU2U authentication requests to this computer to use online identities.*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled
@@ -2291,6 +2501,12 @@ Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authenticat
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
+
+GP Info:
+- GP English name: *Network security: Do not store LAN Manager hash value on next password change*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2360,6 +2576,12 @@ Windows Server 2003: Send NTLM response only
Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+
+GP Info:
+- GP English name: *Network security: LAN Manager authentication level*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2414,6 +2636,12 @@ Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+GP Info:
+- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2468,6 +2696,12 @@ Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+GP Info:
+- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) servers*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2568,6 +2802,12 @@ Default on servers: Disabled.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Shutdown: Allow system to be shut down without having to log on*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled
@@ -2625,6 +2865,12 @@ When this policy is enabled, it causes the system pagefile to be cleared upon cl
Default: Disabled.
+
+GP Info:
+- GP English name: *Shutdown: Clear virtual memory pagefile*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2727,6 +2973,12 @@ The secure desktop can be disabled only by the user of the interactive desktop o
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled
@@ -2794,6 +3046,12 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2840,6 +3098,12 @@ This policy setting controls the behavior of the elevation prompt for standard u
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Behavior of the elevation prompt for standard users*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
The following list shows the supported values:
@@ -2899,6 +3163,12 @@ Enabled: (Default) When an application installation package is detected that req
Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
+
+GP Info:
+- GP English name: *User Account Control: Detect application installations and prompt for elevation*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2950,6 +3220,12 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Only elevate executables that are signed and validated*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -3007,6 +3283,12 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Only elevate UIAccess applications that are installed in secure locations*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -3059,6 +3341,12 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Run all administrators in Admin Approval Mode*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -3110,6 +3398,12 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Switch to the secure desktop when prompting for elevation*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -3161,6 +3455,12 @@ The options are:
• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
+
+GP Info:
+- GP English name: *User Account Control: Admin Approval Mode for the Built-in Administrator account*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -3208,6 +3508,12 @@ This policy setting controls whether application write failures are redirected t
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Virtualize file and registry write failures to per-user locations*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
The following list shows the supported values:
@@ -3223,6 +3529,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md
index ac9c25abfa..8117114323 100644
--- a/windows/client-management/mdm/policy-csp-location.md
+++ b/windows/client-management/mdm/policy-csp-location.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Location
@@ -69,6 +69,14 @@ Added in Windows 10, version 1703. Optional policy that allows for IT admin to
> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy.
+
+ADMX Info:
+- GP English name: *Turn off Windows Location Provider*
+- GP name: *DisableWindowsLocationProvider_1*
+- GP path: *Windows Components/Location and Sensors/Windows Location Provider*
+- GP ADMX file name: *LocationProviderAdm.admx*
+
+
The following list shows the supported values:
@@ -91,6 +99,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index a63d073566..228d2f75ec 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - LockDown
@@ -68,6 +68,14 @@ Added in Windows 10, version 1607. Allows the user to invoke any system user in
The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
+
+ADMX Info:
+- GP English name: *Allow edge swipe*
+- GP name: *AllowEdgeSwipe*
+- GP path: *Windows Components/Edge UI*
+- GP ADMX file name: *EdgeUI.admx*
+
+
The following list shows the supported values:
@@ -83,6 +91,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index 4d5a5f55ec..8b44913146 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Maps
@@ -124,6 +124,14 @@ Added in Windows 10, version 1607. Disables the automatic download and update o
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
+
+ADMX Info:
+- GP English name: *Turn off Automatic Download and Update of Map Data*
+- GP name: *TurnOffAutoUpdate*
+- GP path: *Windows Components/Maps*
+- GP ADMX file name: *WinMaps.admx*
+
+
The following list shows the supported values:
@@ -140,6 +148,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index abd33e0f71..f1862d266d 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Messaging
@@ -125,6 +125,14 @@ The following list shows the supported values:
Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
+
+ADMX Info:
+- GP English name: *Allow Message Service Cloud Sync*
+- GP name: *AllowMessageSync*
+- GP path: *Windows Components/Messaging*
+- GP ADMX file name: *messaging.admx*
+
+
The following list shows the supported values:
@@ -193,6 +201,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
new file mode 100644
index 0000000000..8759b6d49a
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -0,0 +1,246 @@
+---
+title: Policy CSP - MSSecurityGuide
+description: Policy CSP - MSSecurityGuide
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 03/12/2018
+---
+
+# Policy CSP - MSSecurityGuide
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+
+## MSSecurityGuide policies
+
+
+
+
+
+
+
+**MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP name: *Pol_SecGuide_0201_LATFP*
+- GP ADMX file name: *SecGuide.admx*
+
+
+
+
+
+
+
+**MSSecurityGuide/ConfigureSMBV1ClientDriver**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP name: *Pol_SecGuide_0002_SMBv1_ClientDriver*
+- GP ADMX file name: *SecGuide.admx*
+
+
+
+
+
+
+
+**MSSecurityGuide/ConfigureSMBV1Server**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP name: *Pol_SecGuide_0001_SMBv1_Server*
+- GP ADMX file name: *SecGuide.admx*
+
+
+
+
+
+
+
+**MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP name: *Pol_SecGuide_0102_SEHOP*
+- GP ADMX file name: *SecGuide.admx*
+
+
+
+
+
+
+
+**MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP name: *Pol_SecGuide_0101_WDPUA*
+- GP ADMX file name: *SecGuide.admx*
+
+
+
+
+
+
+
+**MSSecurityGuide/WDigestAuthentication**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP name: *Pol_SecGuide_0202_WDigestAuthn*
+- GP ADMX file name: *SecGuide.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md
new file mode 100644
index 0000000000..54107559ca
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-msslegacy.md
@@ -0,0 +1,176 @@
+---
+title: Policy CSP - MSSLegacy
+description: Policy CSP - MSSLegacy
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 03/12/2018
+---
+
+# Policy CSP - MSSLegacy
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+
+## MSSLegacy policies
+
+
+
+
+
+
+
+**MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP name: *Pol_MSS_EnableICMPRedirect*
+- GP ADMX file name: *mss-legacy.admx*
+
+
+
+
+
+
+
+**MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP name: *Pol_MSS_NoNameReleaseOnDemand*
+- GP ADMX file name: *mss-legacy.admx*
+
+
+
+
+
+
+
+**MSSLegacy/IPSourceRoutingProtectionLevel**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP name: *Pol_MSS_DisableIPSourceRouting*
+- GP ADMX file name: *mss-legacy.admx*
+
+
+
+
+
+
+
+**MSSLegacy/IPv6SourceRoutingProtectionLevel**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP name: *Pol_MSS_DisableIPSourceRoutingIPv6*
+- GP ADMX file name: *mss-legacy.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 445d9a8d6d..d5d98f64b1 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - NetworkIsolation
@@ -87,6 +87,15 @@ ms.date: 01/30/2018
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**.
+
+ADMX Info:
+- GP English name: *Enterprise resource domains hosted in the cloud*
+- GP name: *WF_NetIsolation_EnterpriseCloudResources*
+- GP element: *WF_NetIsolation_EnterpriseCloudResourcesBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
@@ -130,6 +139,15 @@ Contains a list of Enterprise resource domains hosted in the cloud that need to
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges.
+
+ADMX Info:
+- GP English name: *Private network ranges for apps*
+- GP name: *WF_NetIsolation_PrivateSubnet*
+- GP element: *WF_NetIsolation_PrivateSubnetBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
For example:
@@ -186,6 +204,14 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
+
+ADMX Info:
+- GP English name: *Subnet definitions are authoritative*
+- GP name: *WF_NetIsolation_Authoritative_Subnet*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
@@ -229,6 +255,15 @@ Boolean value that tells the client to accept the configured list and not to use
This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
+
+ADMX Info:
+- GP English name: *Intranet proxy servers for apps*
+- GP name: *WF_NetIsolation_Intranet_Proxies*
+- GP element: *WF_NetIsolation_Intranet_ProxiesBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
@@ -325,6 +360,15 @@ Here are the steps to create canonical domain names:
This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
+
+ADMX Info:
+- GP English name: *Internet proxy servers for apps*
+- GP name: *WF_NetIsolation_Domain_Proxies*
+- GP element: *WF_NetIsolation_Domain_ProxiesBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
@@ -368,6 +412,14 @@ This is a comma-separated list of proxy servers. Any server on this list is cons
Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
+
+ADMX Info:
+- GP English name: *Proxy definitions are authoritative*
+- GP name: *WF_NetIsolation_Authoritative_Proxies*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
@@ -411,6 +463,15 @@ Boolean value that tells the client to accept the configured list of proxies and
List of domain names that can used for work or personal resource.
+
+ADMX Info:
+- GP English name: *Domains categorized as both work and personal*
+- GP name: *WF_NetIsolation_NeutralResources*
+- GP element: *WF_NetIsolation_NeutralResourcesBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
@@ -419,6 +480,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 2f8a4559f5..8dddbe0d18 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Notifications
@@ -70,6 +70,14 @@ For each user logged into the device, if you enable this policy (set value to 1)
No reboot or service restart is required for this policy to take effect.
+
+ADMX Info:
+- GP English name: *Turn off notification mirroring*
+- GP name: *NoNotificationMirroring*
+- GP path: *Start Menu and Taskbar/Notifications*
+- GP ADMX file name: *WPN.admx*
+
+
The following list shows the supported values:
@@ -85,6 +93,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 5bc495e5d8..5bee576aca 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Power
@@ -19,6 +19,9 @@ ms.date: 01/30/2018
## Power policies
+
+
+
+**Power/AllowStandbyStatesWhenSleepingOnBattery**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
+
+If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state.
+
+If you disable this policy setting, standby states (S1-S3) are not allowed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow standby states (S1-S3) when sleeping (on battery)*
+- GP name: *AllowStandbyStatesDC_2*
+- GP path: *System/Power Management/Sleep Settings*
+- GP ADMX file name: *power.admx*
+
+
+
+
@@ -101,14 +143,14 @@ If you disable this policy setting, standby states (S1-S3) are not allowed.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow standby states (S1-S3) when sleeping (plugged in)*
- GP name: *AllowStandbyStatesAC_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -149,13 +191,13 @@ ADMX Info:
-Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows turns off the display.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
If you disable or do not configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
> [!TIP]
@@ -165,14 +207,14 @@ If the user has configured a slide show to run on the lock screen when the machi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the display (on battery)*
- GP name: *VideoPowerDownTimeOutDC_2*
- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -213,13 +255,13 @@ ADMX Info:
-Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows turns off the display.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
If you disable or do not configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
> [!TIP]
@@ -229,14 +271,14 @@ If the user has configured a slide show to run on the lock screen when the machi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the display (plugged in)*
- GP name: *VideoPowerDownTimeOutAC_2*
- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -277,14 +319,13 @@ ADMX Info:
-Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
If you disable or do not configure this policy setting, users control this setting.
-
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
> [!TIP]
@@ -294,14 +335,14 @@ If the user has configured a slide show to run on the lock screen when the machi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system hibernate timeout (on battery)*
- GP name: *DCHibernateTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -342,13 +383,13 @@ ADMX Info:
-Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
If you disable or do not configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
> [!TIP]
@@ -358,14 +399,14 @@ If the user has configured a slide show to run on the lock screen when the machi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system hibernate timeout (plugged in)*
- GP name: *ACHibernateTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -420,14 +461,14 @@ If you disable this policy setting, the user is not prompted for a password when
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require a password when a computer wakes (on battery)*
- GP name: *DCPromptForPasswordOnResume_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -482,14 +523,14 @@ If you disable this policy setting, the user is not prompted for a password when
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require a password when a computer wakes (plugged in)*
- GP name: *ACPromptForPasswordOnResume_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -530,13 +571,13 @@ ADMX Info:
-Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
If you disable or do not configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
> [!TIP]
@@ -546,14 +587,14 @@ If the user has configured a slide show to run on the lock screen when the machi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system sleep timeout (on battery)*
- GP name: *DCStandbyTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -594,13 +635,13 @@ ADMX Info:
-Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
If you disable or do not configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
> [!TIP]
@@ -610,14 +651,14 @@ If the user has configured a slide show to run on the lock screen when the machi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system sleep timeout (plugged in)*
- GP name: *ACStandbyTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -626,6 +667,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index 2e10fa65e7..be94af174b 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Printers
@@ -96,14 +96,14 @@ If you disable this policy setting:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions_Win7*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
-
+
@@ -171,14 +171,14 @@ If you disable this policy setting:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions*
- GP path: *Control Panel/Printers*
- GP ADMX file name: *Printing.admx*
-
+
@@ -235,14 +235,14 @@ Note: This settings takes priority over the setting "Automatically publish new p
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow printers to be published*
- GP name: *PublishPrinters*
- GP path: *Printers*
- GP ADMX file name: *Printing2.admx*
-
+
@@ -251,6 +251,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index c42149d2f1..c084709cd0 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Privacy
@@ -352,6 +352,14 @@ Updated in Windows 10, version 1709. Allows the usage of cloud based speech serv
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow input personalization*
+- GP name: *AllowInputPersonalization*
+- GP path: *Control Panel/Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
The following list shows the supported values:
@@ -404,6 +412,14 @@ Added in Windows 10, version 1607. Enables or disables the Advertising ID.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Turn off the advertising ID*
+- GP name: *DisableAdvertisingId*
+- GP path: *System/User Profiles*
+- GP ADMX file name: *UserProfiles.admx*
+
+
The following list shows the supported values:
@@ -455,6 +471,14 @@ The following list shows the supported values:
Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed.
+
+ADMX Info:
+- GP English name: *Enables Activity Feed*
+- GP name: *EnableActivityFeed*
+- GP path: *System/OS Policies*
+- GP ADMX file name: *OSPolicy.admx*
+
+
The following list shows the supported values:
@@ -508,6 +532,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access ac
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access account information*
+- GP name: *LetAppsAccessAccountInfo*
+- GP element: *LetAppsAccessAccountInfo_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -559,6 +592,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access account information*
+- GP name: *LetAppsAccessAccountInfo*
+- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -602,6 +644,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access account information*
+- GP name: *LetAppsAccessAccountInfo*
+- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -645,6 +696,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access account information*
+- GP name: *LetAppsAccessAccountInfo*
+- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -691,6 +751,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access th
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the calendar*
+- GP name: *LetAppsAccessCalendar*
+- GP element: *LetAppsAccessCalendar_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -742,6 +811,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the calendar*
+- GP name: *LetAppsAccessCalendar*
+- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -785,6 +863,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the calendar*
+- GP name: *LetAppsAccessCalendar*
+- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -828,6 +915,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the calendar*
+- GP name: *LetAppsAccessCalendar*
+- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -874,6 +970,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access ca
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access call history*
+- GP name: *LetAppsAccessCallHistory*
+- GP element: *LetAppsAccessCallHistory_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -925,6 +1030,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access call history*
+- GP name: *LetAppsAccessCallHistory*
+- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -968,6 +1082,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access call history*
+- GP name: *LetAppsAccessCallHistory*
+- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1011,6 +1134,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access call history*
+- GP name: *LetAppsAccessCallHistory*
+- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1057,6 +1189,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access th
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the camera*
+- GP name: *LetAppsAccessCamera*
+- GP element: *LetAppsAccessCamera_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -1108,6 +1249,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the camera*
+- GP name: *LetAppsAccessCamera*
+- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1151,6 +1301,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the camera*
+- GP name: *LetAppsAccessCamera*
+- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1194,6 +1353,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the camera*
+- GP name: *LetAppsAccessCamera*
+- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1240,6 +1408,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access co
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access contacts*
+- GP name: *LetAppsAccessContacts*
+- GP element: *LetAppsAccessContacts_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -1291,6 +1468,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access contacts*
+- GP name: *LetAppsAccessContacts*
+- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1334,6 +1520,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access contacts*
+- GP name: *LetAppsAccessContacts*
+- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1377,6 +1572,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access contacts*
+- GP name: *LetAppsAccessContacts*
+- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1423,6 +1627,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access em
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access email*
+- GP name: *LetAppsAccessEmail*
+- GP element: *LetAppsAccessEmail_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -1474,6 +1687,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access email*
+- GP name: *LetAppsAccessEmail*
+- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1517,6 +1739,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access email*
+- GP name: *LetAppsAccessEmail*
+- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1560,6 +1791,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access email*
+- GP name: *LetAppsAccessEmail*
+- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1606,6 +1846,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access lo
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access location*
+- GP name: *LetAppsAccessLocation*
+- GP element: *LetAppsAccessLocation_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -1657,6 +1906,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access location*
+- GP name: *LetAppsAccessLocation*
+- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1700,6 +1958,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access location*
+- GP name: *LetAppsAccessLocation*
+- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1743,6 +2010,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access location*
+- GP name: *LetAppsAccessLocation*
+- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1789,6 +2065,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can read or s
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access messaging*
+- GP name: *LetAppsAccessMessaging*
+- GP element: *LetAppsAccessMessaging_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -1840,6 +2125,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access messaging*
+- GP name: *LetAppsAccessMessaging*
+- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1883,6 +2177,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access messaging*
+- GP name: *LetAppsAccessMessaging*
+- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1926,6 +2229,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access messaging*
+- GP name: *LetAppsAccessMessaging*
+- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1972,6 +2284,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access th
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the microphone*
+- GP name: *LetAppsAccessMicrophone*
+- GP element: *LetAppsAccessMicrophone_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -2023,6 +2344,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the microphone*
+- GP name: *LetAppsAccessMicrophone*
+- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2066,6 +2396,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the microphone*
+- GP name: *LetAppsAccessMicrophone*
+- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2109,6 +2448,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the microphone*
+- GP name: *LetAppsAccessMicrophone*
+- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2155,6 +2503,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access mo
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access motion*
+- GP name: *LetAppsAccessMotion*
+- GP element: *LetAppsAccessMotion_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -2206,6 +2563,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access motion*
+- GP name: *LetAppsAccessMotion*
+- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2249,6 +2615,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access motion*
+- GP name: *LetAppsAccessMotion*
+- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2292,6 +2667,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access motion*
+- GP name: *LetAppsAccessMotion*
+- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2338,6 +2722,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access no
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access notifications*
+- GP name: *LetAppsAccessNotifications*
+- GP element: *LetAppsAccessNotifications_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -2389,6 +2782,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access notifications*
+- GP name: *LetAppsAccessNotifications*
+- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2432,6 +2834,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access notifications*
+- GP name: *LetAppsAccessNotifications*
+- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2475,6 +2886,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access notifications*
+- GP name: *LetAppsAccessNotifications*
+- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2521,6 +2941,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can make phon
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps make phone calls*
+- GP name: *LetAppsAccessPhone*
+- GP element: *LetAppsAccessPhone_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -2572,6 +3001,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps make phone calls*
+- GP name: *LetAppsAccessPhone*
+- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2615,6 +3053,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps make phone calls*
+- GP name: *LetAppsAccessPhone*
+- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2658,6 +3105,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps make phone calls*
+- GP name: *LetAppsAccessPhone*
+- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2704,6 +3160,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps have access t
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps control radios*
+- GP name: *LetAppsAccessRadios*
+- GP element: *LetAppsAccessRadios_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -2755,6 +3220,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps control radios*
+- GP name: *LetAppsAccessRadios*
+- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2798,6 +3272,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps control radios*
+- GP name: *LetAppsAccessRadios*
+- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2841,6 +3324,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps control radios*
+- GP name: *LetAppsAccessRadios*
+- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2884,6 +3376,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
+
+ADMX Info:
+- GP English name: *Let Windows apps access Tasks*
+- GP name: *LetAppsAccessTasks*
+- GP element: *LetAppsAccessTasks_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2927,6 +3428,15 @@ Added in Windows 10, version 1703. Specifies whether Windows apps can access tas
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access Tasks*
+- GP name: *LetAppsAccessTasks*
+- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2970,6 +3480,15 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family N
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access Tasks*
+- GP name: *LetAppsAccessTasks*
+- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3013,6 +3532,15 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family N
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access Tasks*
+- GP name: *LetAppsAccessTasks*
+- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3059,6 +3587,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access tr
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access trusted devices*
+- GP name: *LetAppsAccessTrustedDevices*
+- GP element: *LetAppsAccessTrustedDevices_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -3110,6 +3647,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access trusted devices*
+- GP name: *LetAppsAccessTrustedDevices*
+- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3153,6 +3699,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access trusted devices*
+- GP name: *LetAppsAccessTrustedDevices*
+- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3196,6 +3751,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access trusted devices*
+- GP name: *LetAppsAccessTrustedDevices*
+- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3242,6 +3806,15 @@ Added in Windows 10, version 1703. Force allow, force deny or give user control
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access diagnostic information about other apps*
+- GP name: *LetAppsGetDiagnosticInfo*
+- GP element: *LetAppsGetDiagnosticInfo_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -3293,6 +3866,15 @@ The following list shows the supported values:
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access diagnostic information about other apps*
+- GP name: *LetAppsGetDiagnosticInfo*
+- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3336,6 +3918,15 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access diagnostic information about other apps*
+- GP name: *LetAppsGetDiagnosticInfo*
+- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3379,6 +3970,15 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access diagnostic information about other apps*
+- GP name: *LetAppsGetDiagnosticInfo*
+- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3427,6 +4027,15 @@ Most restricted value is 2.
> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly.
+
+ADMX Info:
+- GP English name: *Let Windows apps run in the background*
+- GP name: *LetAppsRunInBackground*
+- GP element: *LetAppsRunInBackground_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -3478,6 +4087,15 @@ The following list shows the supported values:
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps run in the background*
+- GP name: *LetAppsRunInBackground*
+- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3521,6 +4139,15 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps run in the background*
+- GP name: *LetAppsRunInBackground*
+- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3564,6 +4191,15 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps run in the background*
+- GP name: *LetAppsRunInBackground*
+- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3610,6 +4246,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can sync with
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps communicate with unpaired devices*
+- GP name: *LetAppsSyncWithDevices*
+- GP element: *LetAppsSyncWithDevices_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -3661,6 +4306,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps communicate with unpaired devices*
+- GP name: *LetAppsSyncWithDevices*
+- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3704,6 +4358,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps communicate with unpaired devices*
+- GP name: *LetAppsSyncWithDevices*
+- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3747,6 +4410,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps communicate with unpaired devices*
+- GP name: *LetAppsSyncWithDevices*
+- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3790,6 +4462,14 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed.
+
+ADMX Info:
+- GP English name: *Allow publishing of User Activities*
+- GP name: *PublishUserActivities*
+- GP path: *System/OS Policies*
+- GP ADMX file name: *OSPolicy.admx*
+
+
The following list shows the supported values:
@@ -3805,6 +4485,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index 79ab76a706..01e2f7e4b7 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - RemoteAssistance
@@ -92,14 +92,14 @@ If you do not configure this policy setting, the user sees the default warning m
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Customize warning messages*
- GP name: *RA_Options*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
+
@@ -156,14 +156,14 @@ If you do not configure this setting, application-based settings are used.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on session logging*
- GP name: *RA_Logging*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
+
@@ -228,14 +228,14 @@ If you enable this policy setting you should also enable appropriate firewall ex
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Configure Solicited Remote Assistance*
- GP name: *RA_Solicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
+
@@ -323,14 +323,14 @@ Allow Remote Desktop Exception
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Configure Offer Remote Assistance*
- GP name: *RA_Unsolicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
+
@@ -339,6 +339,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index 79615e7c27..0e4be98697 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - RemoteDesktopServices
@@ -84,9 +84,9 @@ If you enable this policy setting, users who are members of the Remote Desktop U
If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.
-If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
+If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
-Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
+Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
@@ -98,14 +98,14 @@ You can limit the number of users who can connect simultaneously by configuring
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow users to connect remotely by using Remote Desktop Services*
- GP name: *TS_DISABLE_CONNECTIONS*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
- GP ADMX file name: *terminalserver.admx*
-
+
@@ -170,14 +170,14 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set client connection encryption level*
- GP name: *TS_ENCRYPTION_POLICY*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
-
+
@@ -236,14 +236,14 @@ If you do not configure this policy setting, client drive redirection and Clipbo
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow drive redirection*
- GP name: *TS_CLIENT_DRIVE_M*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
- GP ADMX file name: *terminalserver.admx*
-
+
@@ -298,14 +298,14 @@ If you disable this setting or leave it not configured, the user will be able to
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow passwords to be saved*
- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
- GP ADMX file name: *terminalserver.admx*
-
+
@@ -366,14 +366,14 @@ If you do not configure this policy setting, automatic logon is not specified at
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Always prompt for password upon connection*
- GP name: *TS_PASSWORD*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
-
+
@@ -434,14 +434,14 @@ Note: The RPC interface is used for administering and configuring Remote Desktop
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require secure RPC communication*
- GP name: *TS_RPC_ENCRYPTION*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
-
+
@@ -450,6 +450,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 609bfc4763..96324dc5cc 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - RemoteManagement
@@ -105,6 +105,11 @@ ms.date: 01/30/2018
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.
+
+If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.
+
+If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication.
> [!TIP]
@@ -114,14 +119,14 @@ ms.date: 01/30/2018
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow Basic authentication*
- GP name: *AllowBasic_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -162,6 +167,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client.
+
+If you enable this policy setting, the WinRM service accepts Basic authentication from a remote client.
+
+If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client.
> [!TIP]
@@ -171,14 +181,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow Basic authentication*
- GP name: *AllowBasic_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -219,6 +229,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses CredSSP authentication.
+
+If you enable this policy setting, the WinRM client uses CredSSP authentication.
+
+If you disable or do not configure this policy setting, the WinRM client does not use CredSSP authentication.
> [!TIP]
@@ -228,14 +243,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -276,6 +291,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authentication from a remote client.
+
+If you enable this policy setting, the WinRM service accepts CredSSP authentication from a remote client.
+
+If you disable or do not configure this policy setting, the WinRM service does not accept CredSSP authentication from a remote client.
> [!TIP]
@@ -285,14 +305,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -333,6 +353,24 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port.
+
+If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port.
+
+To allow WinRM service to receive requests over the network, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP).
+
+If you disable or do not configure this policy setting, the WinRM service will not respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured.
+
+The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges.
+
+You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.
+
+For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty.
+
+Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," (comma) as the delimiter.
+
+Example IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22
+Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562
> [!TIP]
@@ -342,14 +380,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow remote server management through WinRM*
- GP name: *AllowAutoConfig*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -390,6 +428,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network.
+
+If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network.
+
+If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
> [!TIP]
@@ -399,14 +442,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -447,6 +490,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.
+
+If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network.
+
+If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
> [!TIP]
@@ -456,14 +504,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -504,6 +552,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication.
+
+If you enable this policy setting, the WinRM client does not use Digest authentication.
+
+If you disable or do not configure this policy setting, the WinRM client uses Digest authentication.
> [!TIP]
@@ -513,14 +566,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Digest authentication*
- GP name: *DisallowDigest*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -561,6 +614,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Negotiate authentication.
+
+If you enable this policy setting, the WinRM client does not use Negotiate authentication.
+
+If you disable or do not configure this policy setting, the WinRM client uses Negotiate authentication.
> [!TIP]
@@ -570,14 +628,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -618,6 +676,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Negotiate authentication from a remote client.
+
+If you enable this policy setting, the WinRM service does not accept Negotiate authentication from a remote client.
+
+If you disable or do not configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client.
> [!TIP]
@@ -627,14 +690,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -675,6 +738,13 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins.
+
+If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer.
+
+If you disable or do not configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely.
+
+If you enable and then disable this policy setting,any values that were previously configured for RunAsPassword will need to be reset.
> [!TIP]
@@ -684,14 +754,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow WinRM from storing RunAs credentials*
- GP name: *DisableRunAs*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -732,6 +802,17 @@ ADMX Info:
+This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service with regard to channel binding tokens.
+
+If you enable this policy setting, the WinRM service uses the level specified in HardeningLevel to determine whether or not to accept a received request, based on a supplied channel binding token.
+
+If you disable or do not configure this policy setting, you can configure the hardening level locally on each computer.
+
+If HardeningLevel is set to Strict, any request not containing a valid channel binding token is rejected.
+
+If HardeningLevel is set to Relaxed (default value), any request containing an invalid channel binding token is rejected. However, a request that does not contain a channel binding token is accepted (though it is not protected from credential-forwarding attacks).
+
+If HardeningLevel is set to None, all requests are accepted (though they are not protected from credential-forwarding attacks).
> [!TIP]
@@ -741,14 +822,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify channel binding token hardening level*
- GP name: *CBTHardeningLevel_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -789,6 +870,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity.
+
+If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the host.
+
+If you disable or do not configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer.
> [!TIP]
@@ -798,14 +884,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Trusted Hosts*
- GP name: *TrustedHosts*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -846,6 +932,15 @@ ADMX Info:
+This policy setting turns on or turns off an HTTP listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service.
+
+If you enable this policy setting, the HTTP listener always appears.
+
+If you disable or do not configure this policy setting, the HTTP listener never appears.
+
+When certain port 80 listeners are migrated to WinRM 2.0, the listener port number changes to 5985.
+
+A listener might be automatically created on port 80 to ensure backward compatibility.
> [!TIP]
@@ -855,14 +950,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn On Compatibility HTTP Listener*
- GP name: *HttpCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -903,6 +998,15 @@ ADMX Info:
+This policy setting turns on or turns off an HTTPS listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service.
+
+If you enable this policy setting, the HTTPS listener always appears.
+
+If you disable or do not configure this policy setting, the HTTPS listener never appears.
+
+When certain port 443 listeners are migrated to WinRM 2.0, the listener port number changes to 5986.
+
+A listener might be automatically created on port 443 to ensure backward compatibility.
> [!TIP]
@@ -912,14 +1016,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn On Compatibility HTTPS Listener*
- GP name: *HttpsCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -928,6 +1032,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index 16adbb0e97..295bf5c56e 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - RemoteProcedureCall
@@ -66,7 +66,7 @@ ms.date: 01/30/2018
-This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
+This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
@@ -84,14 +84,14 @@ Note: This policy will not be applied until the system is rebooted.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable RPC Endpoint Mapper Client Authentication*
- GP name: *RpcEnableAuthEpResolution*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
-
+
@@ -136,9 +136,9 @@ This policy setting controls how the RPC server runtime handles unauthenticated
This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.
-If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
+If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
-If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
+If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.
@@ -158,14 +158,14 @@ Note: This policy setting will not be applied until the system is rebooted.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Restrict Unauthenticated RPC clients*
- GP name: *RpcRestrictRemoteClients*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
-
+
@@ -174,6 +174,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index 5f9c72ad15..cbb9717f73 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - RemoteShell
@@ -81,6 +81,11 @@ ms.date: 01/30/2018
+This policy setting configures access to remote shells.
+
+If you enable or do not configure this policy setting, new remote shell connections are accepted by the server.
+
+If you set this policy to ‘disabled’, new remote shell connections are rejected by the server.
> [!TIP]
@@ -90,14 +95,14 @@ ms.date: 01/30/2018
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow Remote Shell Access*
- GP name: *AllowRemoteShellAccess*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
@@ -138,6 +143,13 @@ ADMX Info:
+This policy setting configures the maximum number of users able to concurrently perform remote shell operations on the system.
+
+The value can be any number from 1 to 100.
+
+If you enable this policy setting, the new shell connections are rejected if they exceed the specified limit.
+
+If you disable or do not configure this policy setting, the default number is five users.
> [!TIP]
@@ -147,14 +159,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *MaxConcurrentUsers*
- GP name: *MaxConcurrentUsers*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
@@ -195,6 +207,13 @@ ADMX Info:
+This policy setting configures the maximum time in milliseconds remote shell will stay open without any user activity until it is automatically deleted.
+
+Any value from 0 to 0x7FFFFFFF can be set. A minimum of 60000 milliseconds (1 minute) is used for smaller values.
+
+If you enable this policy setting, the server will wait for the specified amount of time since the last received message from the client before terminating the open shell.
+
+If you do not configure or disable this policy setting, the default value of 900000 or 15 min will be used.
> [!TIP]
@@ -204,14 +223,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify idle Timeout*
- GP name: *IdleTimeout*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
@@ -252,6 +271,13 @@ ADMX Info:
+This policy setting configures the maximum total amount of memory in megabytes that can be allocated by any active remote shell and all its child processes.
+
+Any value from 0 to 0x7FFFFFFF can be set, where 0 equals unlimited memory, which means the ability of remote operations to allocate memory is only limited by the available virtual memory.
+
+If you enable this policy setting, the remote operation is terminated when a new allocation exceeds the specified quota.
+
+If you disable or do not configure this policy setting, the value 150 is used by default.
> [!TIP]
@@ -261,14 +287,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify maximum amount of memory in MB per Shell*
- GP name: *MaxMemoryPerShellMB*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
@@ -309,6 +335,11 @@ ADMX Info:
+This policy setting configures the maximum number of processes a remote shell is allowed to launch.
+
+If you enable this policy setting, you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero (0) means unlimited number of processes.
+
+If you disable or do not configure this policy setting, the limit is five processes per shell.
> [!TIP]
@@ -318,14 +349,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify maximum number of processes per Shell*
- GP name: *MaxProcessesPerShell*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
@@ -366,6 +397,13 @@ ADMX Info:
+This policy setting configures the maximum number of concurrent shells any user can remotely open on the same system.
+
+Any number from 0 to 0x7FFFFFFF cand be set, where 0 means unlimited number of shells.
+
+If you enable this policy setting, the user cannot open new remote shells if the count exceeds the specified limit.
+
+If you disable or do not configure this policy setting, by default the limit is set to two remote shells per user.
> [!TIP]
@@ -375,14 +413,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify maximum number of remote shells per user*
- GP name: *MaxShellsPerUser*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
@@ -423,6 +461,7 @@ ADMX Info:
+This policy setting is deprecated and has no effect when set to any state: Enabled, Disabled, or Not Configured.
> [!TIP]
@@ -432,14 +471,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify Shell Timeout*
- GP name: *ShellTimeOut*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
@@ -448,6 +487,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 616c8eb992..dfdf82afa1 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Search
@@ -107,6 +107,15 @@ ms.date: 01/30/2018
Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources.
+
+ADMX Info:
+- GP English name: *Allow Cloud Search*
+- GP name: *AllowCloudSearch*
+- GP element: *AllowCloudSearch_Dropdown*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -154,9 +163,17 @@ The following list shows the supported values:
-Added in Windows 10, next major update. This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. If this policy is left in its default state, Cortana will not be shown in the AAD OOBE flow. If you opt-in to this policy, then the Cortana consent page will appear in the AAD OOBE flow..
+Added in Windows 10, version 1803. This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. If this policy is left in its default state, Cortana will not be shown in the AAD OOBE flow. If you opt-in to this policy, then the Cortana consent page will appear in the AAD OOBE flow..
+
+ADMX Info:
+- GP English name: *Allow Cortana Page in OOBE on an AAD account*
+- GP name: *AllowCortanaInAAD*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -213,6 +230,14 @@ When the policy is disabled, the WIP protected items are not indexed and do not
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow indexing of encrypted files*
+- GP name: *AllowIndexingEncryptedStoresOrItems*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -265,6 +290,14 @@ Specifies whether search can leverage location information.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow search and Cortana to use location*
+- GP name: *AllowSearchToUseLocation*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -338,6 +371,14 @@ Allows the use of diacritics.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow use of diacritics*
+- GP name: *AllowUsingDiacritics*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -434,6 +475,14 @@ Specifies whether to always use automatic language detection when indexing conte
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Always use automatic language detection when indexing content and properties*
+- GP name: *AlwaysUseAutoLangDetection*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -484,6 +533,14 @@ The following list shows the supported values:
If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
+
+ADMX Info:
+- GP English name: *Disable indexer backoff*
+- GP name: *DisableBackoff*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -538,6 +595,14 @@ If you enable this policy setting, locations on removable drives cannot be added
If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.
+
+ADMX Info:
+- GP English name: *Do not allow locations on removable drives to be added to libraries*
+- GP name: *DisableRemovableDriveIndexing*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -585,7 +650,7 @@ The following list shows the supported values:
-Added in Windows 10, next major update. Don't search the web or display web results in Search.
+Added in Windows 10, version 1803. Don't search the web or display web results in Search.
This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search.
If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search.
@@ -593,6 +658,14 @@ If you enable this policy setting, queries won't be performed on the web and web
If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search.
+
+ADMX Info:
+- GP English name: *Don't search the web or display web results in Search*
+- GP name: *DoNotUseWebResults*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -647,6 +720,14 @@ Enable this policy if computers in your environment have extremely limited hard
When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.
+
+ADMX Info:
+- GP English name: *Stop indexing in the event of limited hard drive space*
+- GP name: *StopIndexingOnLimitedHardDriveSpace*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -697,6 +778,14 @@ The following list shows the supported values:
If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
+
+ADMX Info:
+- GP English name: *Prevent clients from querying the index remotely*
+- GP name: *PreventRemoteQueries*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -769,6 +858,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index fa48adfe0d..b03abc2582 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Security
@@ -361,6 +361,14 @@ The following list shows the supported values:
Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
+
+ADMX Info:
+- GP English name: *Configure the system to clear the TPM if it is not in a ready state.*
+- GP name: *ClearTPMIfNotReady_Name*
+- GP path: *System/Trusted Platform Module Services*
+- GP ADMX file name: *TPM.admx*
+
+
The following list shows the supported values:
@@ -408,7 +416,7 @@ The following list shows the supported values:
-Added in Windows 10, next major update. Configures the use of passwords for Windows features.
+Added in Windows 10, version 1803. Configures the use of passwords for Windows features.
> [!Note]
> This policy is only supported in Windows 10 S.
@@ -654,6 +662,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index bd6a64ba12..5773e32200 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Settings
@@ -370,6 +370,15 @@ Enables or disables the retrieval of online tips and help for the Settings app.
If disabled, Settings will not contact Microsoft content services to retrieve tips and help content.
+
+ADMX Info:
+- GP English name: *Allow Online Tips*
+- GP name: *AllowOnlineTips*
+- GP element: *CheckBox_AllowOnlineTips*
+- GP path: *Control Panel*
+- GP ADMX file name: *ControlPanel.admx*
+
+
@@ -729,6 +738,14 @@ The following list shows the supported values:
Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
+
+ADMX Info:
+- GP English name: *Show additional calendar*
+- GP name: *ConfigureTaskbarCalendar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
The following list shows the supported values:
@@ -805,6 +822,15 @@ Example 2, specifies that the wifi page should not be shown:
hide:wifi
+
+ADMX Info:
+- GP English name: *Settings Page Visibility*
+- GP name: *SettingsPageVisibility*
+- GP element: *SettingsPageVisibilityBox*
+- GP path: *Control Panel*
+- GP ADMX file name: *ControlPanel.admx*
+
+
To validate on Desktop, do the following:
@@ -821,6 +847,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index f52bfb67a6..3eea69f19b 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - SmartScreen
@@ -72,6 +72,14 @@ ms.date: 01/30/2018
Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
+
+ADMX Info:
+- GP English name: *Configure App Install Control*
+- GP name: *ConfigureAppInstallControl*
+- GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
+- GP ADMX file name: *SmartScreen.admx*
+
+
The following list shows the supported values:
@@ -122,6 +130,14 @@ The following list shows the supported values:
Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
+
+ADMX Info:
+- GP English name: *Configure Windows Defender SmartScreen*
+- GP name: *ShellConfigureSmartScreen*
+- GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
+- GP ADMX file name: *SmartScreen.admx*
+
+
The following list shows the supported values:
@@ -172,6 +188,15 @@ The following list shows the supported values:
Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
+
+ADMX Info:
+- GP English name: *Configure Windows Defender SmartScreen*
+- GP name: *ShellConfigureSmartScreen*
+- GP element: *ShellConfigureSmartScreen_Dropdown*
+- GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
+- GP ADMX file name: *SmartScreen.admx*
+
+
The following list shows the supported values:
@@ -187,6 +212,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index e5c27c3200..33cdd64750 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Speech
@@ -66,6 +66,14 @@ ms.date: 01/30/2018
Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
+
+ADMX Info:
+- GP English name: *Allow Automatic Update of Speech Data*
+- GP name: *AllowSpeechModelUpdate*
+- GP path: *Windows Components/Speech*
+- GP ADMX file name: *Speech.admx*
+
+
The following list shows the supported values:
@@ -81,6 +89,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index e8122802b3..d9d149dd3a 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Start
@@ -1025,6 +1025,14 @@ Added in Windows 10, version 1709. Enabling this policy removes the people icon
Value type is integer.
+
+ADMX Info:
+- GP English name: *Remove the People Bar from the taskbar*
+- GP name: *HidePeopleBar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
@@ -1198,6 +1206,14 @@ To validate on Desktop, do the following:
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps.
+
+ADMX Info:
+- GP English name: *Remove "Recently added" list from Start Menu*
+- GP name: *HideRecentlyAddedApps*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
The following list shows the supported values:
@@ -1731,6 +1747,14 @@ Allows you to override the default Start layout and prevents the user from chang
For further details on how to customize the Start layout, please see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar).
+
+ADMX Info:
+- GP English name: *Start Layout*
+- GP name: *LockedStartLayout*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
@@ -1739,6 +1763,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index dbcdfe8bd5..b27f3af35b 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Storage
@@ -73,6 +73,14 @@ Added in Windows 10, version 1709. Allows disk health model updates.
Value type is integer.
+
+ADMX Info:
+- GP English name: *Allow downloading updates to the Disk Failure Prediction Model*
+- GP name: *SH_AllowDiskHealthModelUpdates*
+- GP path: *System/Storage Health*
+- GP ADMX file name: *StorageHealth.admx*
+
+
The following list shows the supported values:
@@ -134,14 +142,14 @@ If you disable or do not configure this policy setting, Windows will activate un
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow Windows to activate Enhanced Storage devices*
- GP name: *TCGSecurityActivationDisabled*
- GP path: *System/Enhanced Storage Access*
- GP ADMX file name: *enhancedstorage.admx*
-
+
@@ -150,6 +158,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index f45d4b3ddc..6c6ed3c4c9 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - System
@@ -116,6 +116,14 @@ This policy setting determines whether users can access the Insider build contro
If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
+
+ADMX Info:
+- GP English name: *Toggle user control over Insider builds*
+- GP name: *AllowBuildPreview*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *AllowBuildPreview.admx*
+
+
The following list shows the supported values:
@@ -283,6 +291,14 @@ This setting is used by lower-level components for text display and fond handlin
> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
+
+ADMX Info:
+- GP English name: *Enable Font Providers*
+- GP name: *EnableFontProviders*
+- GP path: *Network/Fonts*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
The following list shows the supported values:
@@ -348,6 +364,14 @@ When switching the policy back from 0 (Force Location Off) or 2 (Force Location
For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
+
+ADMX Info:
+- GP English name: *Turn off location*
+- GP name: *DisableLocation_2*
+- GP path: *Windows Components/Location and Sensors*
+- GP ADMX file name: *Sensors.admx*
+
+
The following list shows the supported values:
@@ -527,6 +551,15 @@ Windows 10 Values:
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Telemetry*
+- GP name: *AllowTelemetry*
+- GP element: *AllowTelemetry*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
@@ -620,7 +653,17 @@ orted values:
-N/A
+This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:
+- Good: The driver has been signed and has not been tampered with.
+- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
+- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
+- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.
+
+If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started.
+
+If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
+
+If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.
> [!TIP]
@@ -630,12 +673,14 @@ N/A
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
+- GP English name: *Boot-Start Driver Initialization Policy*
- GP name: *POL_DriverLoadPolicy_Name*
+- GP path: *System/Early Launch Antimalware*
- GP ADMX file name: *earlylauncham.admx*
-
+
@@ -679,6 +724,15 @@ ADMX Info:
This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
+
+ADMX Info:
+- GP English name: *Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service*
+- GP name: *DisableEnterpriseAuthProxy*
+- GP element: *DisableEnterpriseAuthProxy*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
@@ -730,6 +784,14 @@ Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features
If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+
+ADMX Info:
+- GP English name: *Prevent the usage of OneDrive for file storage*
+- GP name: *PreventOnedriveFileSync*
+- GP path: *Windows Components/OneDrive*
+- GP ADMX file name: *SkyDrive.admx*
+
+
The following list shows the supported values:
@@ -805,14 +867,14 @@ Also, see the "Turn off System Restore configuration" policy setting. If the "Tu
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off System Restore*
- GP name: *SR_DisableSR*
- GP path: *System/System Restore*
- GP ADMX file name: *systemrestore.admx*
-
+
@@ -853,7 +915,7 @@ ADMX Info:
-Added in Windows 10, next major update. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations.
+Added in Windows 10, version 1803. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations.
@@ -919,6 +981,15 @@ Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combina
If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
+
+ADMX Info:
+- GP English name: *Limit Enhanced diagnostic data to the minimum required by Windows Analytics*
+- GP name: *LimitEnhancedDiagnosticDataWindowsAnalytics*
+- GP element: *LimitEnhancedDiagnosticDataWindowsAnalytics*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
@@ -964,6 +1035,15 @@ Allows you to specify the fully qualified domain name (FQDN) or IP address of a
If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
+
+ADMX Info:
+- GP English name: *Configure Connected User Experiences and Telemetry*
+- GP name: *TelemetryProxy*
+- GP element: *TelemetryProxyName*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
@@ -972,6 +1052,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 7071a57f68..9dd4ebd067 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - SystemServices
@@ -80,9 +80,15 @@ ms.date: 01/30/2018
-Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+GP Info:
+- GP English name: *HomeGroup Listener*
+- GP path: *Windows Settings/Security Settings/System Services*
+
+
@@ -123,9 +129,15 @@ Added in Windows 10, next major update. This setting determines whether the serv
-Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+GP Info:
+- GP English name: *HomeGroup Provider*
+- GP path: *Windows Settings/Security Settings/System Services*
+
+
@@ -166,9 +178,15 @@ Added in Windows 10, next major update. This setting determines whether the serv
-Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+GP Info:
+- GP English name: *Xbox Accessory Management Service*
+- GP path: *Windows Settings/Security Settings/System Services*
+
+
@@ -209,9 +227,15 @@ Added in Windows 10, next major update. This setting determines whether the serv
-Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+GP Info:
+- GP English name: *Xbox Live Auth Manager*
+- GP path: *Windows Settings/Security Settings/System Services*
+
+
@@ -252,9 +276,15 @@ Added in Windows 10, next major update. This setting determines whether the serv
-Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+GP Info:
+- GP English name: *Xbox Live Game Save*
+- GP path: *Windows Settings/Security Settings/System Services*
+
+
@@ -295,9 +325,15 @@ Added in Windows 10, next major update. This setting determines whether the serv
-Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+GP Info:
+- GP English name: *Xbox Live Networking Service*
+- GP path: *Windows Settings/Security Settings/System Services*
+
+
@@ -306,6 +342,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index e55edde857..7fee0be3b0 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - TaskScheduler
@@ -65,7 +65,7 @@ ms.date: 01/30/2018
-Added in Windows 10, next major update. This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled.
+Added in Windows 10, version 1803. This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled.
@@ -76,6 +76,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index ef51165474..6b2f4389e8 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - TextInput
@@ -21,6 +21,9 @@ ms.date: 01/30/2018
## TextInput policies
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies text prediction for hardware keyboard is always disabled. When this policy is set to 0, text prediction for hardware keyboard is always disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 – Text prediction for the hardware keyboard is disabled and the switch is unusable (user cannot activate the feature).
+- 1 (default) – Text prediction for the hardware keyboard is enabled. User can change the setting.
+
+
+
+
@@ -580,6 +657,14 @@ Allows the uninstall of language features, such as spell checkers, on a device.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Uninstallation of Language Features*
+- GP name: *AllowLanguageFeaturesUninstall*
+- GP path: *Windows Components/Text Input*
+- GP ADMX file name: *TextInput.admx*
+
+
The following list shows the supported values:
@@ -627,7 +712,7 @@ The following list shows the supported values:
-Added in Windows 10, next major update. This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode.
+Added in Windows 10, version 1803. This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode.
The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up.
But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard.
@@ -804,6 +889,414 @@ The following list shows the supported values:
- 0 (default) – No characters are filtered.
- 1 – All characters except ShiftJIS are filtered.
+
+
+
+
+
+
+**TextInput/ForceTouchKeyboardDockedState**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies the touch keyboard is always docked. When this policy is set to enabled, the touch keyboard is always docked.
+
+
+
+The following list shows the supported values:
+
+- 0 - (default) - The OS determines when it's most appropriate to be available.
+- 1 - Touch keyboard is always docked.
+- 2 - Touch keyboard docking can be changed.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardDictationButtonAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the dictation input button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the dictation input button on touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Dictation button on the keyboard is always available.
+- 2 - Dictation button on the keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardEmojiButtonAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the emoji button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the emoji button on touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Emoji button on keyboard is always available.
+- 2 - Emoji button on keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardFullModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the full keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the full keyboard mode for touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Full keyboard is always available.
+- 2 - Full keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardHandwritingModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the handwriting input panel is enabled or disabled. When this policy is set to disabled, the handwriting input panel is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Handwriting input panel is always available.
+- 2 - Handwriting input panel is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardNarrowModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the narrow keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the narrow keyboard mode for touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Narrow keyboard is always available.
+- 2 - Narrow keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardSplitModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the split keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the split keyboard mode for touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Split keyboard is always available.
+- 2 - Split keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardWideModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the wide keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the wide keyboard mode for touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Wide keyboard is always available.
+- 2 - Wide keyboard is always disabled.
+
@@ -813,6 +1306,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index c926c03e45..731fc2ae63 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - TimeLanguageSettings
@@ -63,14 +63,14 @@ ms.date: 01/30/2018
-Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
+Allows for the configuration of the default clock setting to be the 24 hour format. If set to 0 (zero), the device uses the default clock as prescribed by the current locale setting.
The following list shows the supported values:
-- 0 – Locale default setting.
-- 1 (default) – Set 24 hour clock.
+- 0 (default) – Current locale setting.
+- 1 – Set 24 hour clock.
@@ -81,6 +81,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 47a34b96dd..70198e988d 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Update
@@ -216,6 +216,15 @@ Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
The default is 17 (5 PM).
+
+ADMX Info:
+- GP English name: *Turn off auto-restart for updates during active hours*
+- GP name: *ActiveHours*
+- GP element: *ActiveHoursEndTime*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -263,6 +272,15 @@ Supported values are 8-18.
The default value is 18 (hours).
+
+ADMX Info:
+- GP English name: *Specify active hours range for auto-restarts*
+- GP name: *ActiveHoursMaxRange*
+- GP element: *ActiveHoursMaxRange*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -313,6 +331,15 @@ Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
The default value is 8 (8 AM).
+
+ADMX Info:
+- GP English name: *Turn off auto-restart for updates during active hours*
+- GP name: *ActiveHours*
+- GP element: *ActiveHoursStartTime*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -365,6 +392,15 @@ Supported operations are Get and Replace.
If the policy is not configured, end-users get the default behavior (Auto install and restart).
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateMode*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -423,6 +459,14 @@ A significant number of devices primarily use cellular data and do not have Wi-F
This policy is accessible through the Update setting in the user interface or Group Policy.
+
+ADMX Info:
+- GP English name: *Allow updates to be downloaded automatically over metered connections*
+- GP name: *AllowAutoWindowsUpdateDownloadOverMeteredNetwork*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -473,6 +517,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AllowMUUpdateServiceId*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -584,6 +637,14 @@ Enabling this policy will disable that functionality, and may cause connection t
> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
+
+ADMX Info:
+- GP English name: *Specify intranet Microsoft update service location*
+- GP name: *CorpWuURL*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -638,6 +699,15 @@ Supported values are 2-30 days.
The default value is 7 days.
+
+ADMX Info:
+- GP English name: *Specify deadline before auto-restart for update installation*
+- GP name: *AutoRestartDeadline*
+- GP element: *AutoRestartDeadline*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -683,6 +753,15 @@ Added in Windows 10, version 1703. Allows the IT Admin to specify the period fo
The default value is 15 (minutes).
+
+ADMX Info:
+- GP English name: *Configure auto-restart reminder notifications for updates*
+- GP name: *AutoRestartNotificationConfig*
+- GP element: *AutoRestartNotificationSchd*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
Supported values are 15, 30, 60, 120, and 240 (minutes).
@@ -730,6 +809,15 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
+
+ADMX Info:
+- GP English name: *Configure auto-restart required notification for updates*
+- GP name: *AutoRestartRequiredNotificationDismissal*
+- GP element: *AutoRestartRequiredNotificationDismissal*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -780,6 +868,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
+
+ADMX Info:
+- GP English name: *Select when Preview Builds and Feature Updates are received*
+- GP name: *DeferFeatureUpdates*
+- GP element: *BranchReadinessLevelId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -821,7 +918,7 @@ The following list shows the supported values:
-Added in Windows 10, next major update. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days.
+Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days.
@@ -874,6 +971,15 @@ Supported values are 0-365 days.
> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
+
+ADMX Info:
+- GP English name: *Select when Preview Builds and Feature Updates are received*
+- GP name: *DeferFeatureUpdates*
+- GP element: *DeferFeatureUpdatesPeriodId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -919,6 +1025,15 @@ Added in Windows 10, version 1607. Defers Quality Updates for the specified num
Supported values are 0-30.
+
+ADMX Info:
+- GP English name: *Select when Quality Updates are received*
+- GP name: *DeferQualityUpdates*
+- GP element: *DeferQualityUpdatesPeriodId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1055,6 +1170,13 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-->
+
+ADMX Info:
+- GP name: *DeferUpgrade*
+- GP element: *DeferUpdatePeriodId*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1110,6 +1232,13 @@ If the "Specify intranet Microsoft update service location" policy is enabled, t
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+ADMX Info:
+- GP name: *DeferUpgrade*
+- GP element: *DeferUpgradePeriodId*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1153,6 +1282,15 @@ If the "Allow Telemetry" policy is enabled and the Options value is set to 0, th
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
+
+ADMX Info:
+- GP English name: *Automatic Updates detection frequency*
+- GP name: *DetectionFrequency_Title*
+- GP element: *DetectionFrequency_Hour2*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1202,6 +1340,14 @@ This is the same as the Group Policy in Windows Components > Window Update "Do n
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+ADMX Info:
+- GP English name: *Do not allow update deferral policies to cause scans against Windows Update*
+- GP name: *DisableDualScan*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1256,6 +1402,15 @@ Supported values are 2-30 days.
The default value is 0 days (not specified).
+
+ADMX Info:
+- GP English name: *Specify Engaged restart transition and notification schedule for updates*
+- GP name: *EngagedRestartTransitionSchedule*
+- GP element: *EngagedRestartDeadline*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1303,6 +1458,15 @@ Supported values are 1-3 days.
The default value is 3 days.
+
+ADMX Info:
+- GP English name: *Specify Engaged restart transition and notification schedule for updates*
+- GP name: *EngagedRestartTransitionSchedule*
+- GP element: *EngagedRestartSnoozeSchedule*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1350,6 +1514,15 @@ Supported values are 2-30 days.
The default value is 7 days.
+
+ADMX Info:
+- GP English name: *Specify Engaged restart transition and notification schedule for updates*
+- GP name: *EngagedRestartTransitionSchedule*
+- GP element: *EngagedRestartTransitionSchedule*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1396,6 +1569,14 @@ The default value is 7 days.
Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
+
+ADMX Info:
+- GP English name: *Do not include drivers with Windows Updates*
+- GP name: *ExcludeWUDriversInQualityUpdate*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1449,6 +1630,15 @@ Added in the April service release of Windows 10, version 1607. Allows Windows U
> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server.
+
+ADMX Info:
+- GP English name: *Specify intranet Microsoft update service location*
+- GP name: *CorpWuURL*
+- GP element: *CorpWUFillEmptyContentUrls*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1629,6 +1819,15 @@ To validate this policy:
Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer.
+
+ADMX Info:
+- GP English name: *Manage preview builds*
+- GP name: *ManagePreviewBuilds*
+- GP element: *ManagePreviewBuildsId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1689,6 +1888,13 @@ If the "Specify intranet Microsoft update service location" policy is enabled, t
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+ADMX Info:
+- GP name: *DeferUpgrade*
+- GP element: *PauseDeferralsId*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1742,6 +1948,15 @@ Since this policy is not blocked, you will not get a failure message when you us
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
+
+ADMX Info:
+- GP English name: *Select when Preview Builds and Feature Updates are received*
+- GP name: *DeferFeatureUpdates*
+- GP element: *PauseFeatureUpdatesId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1794,6 +2009,15 @@ Added in Windows 10, version 1703. Specifies the date and time when the IT admi
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+
+ADMX Info:
+- GP English name: *Select when Preview Builds and Feature Updates are received*
+- GP name: *DeferFeatureUpdates*
+- GP element: *PauseFeatureUpdatesStartId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1837,6 +2061,15 @@ Value type is string. Supported operations are Add, Get, Delete, and Replace.
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
+
+ADMX Info:
+- GP English name: *Select when Quality Updates are received*
+- GP name: *DeferQualityUpdates*
+- GP element: *PauseQualityUpdatesId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1889,6 +2122,15 @@ Added in Windows 10, version 1703. Specifies the date and time when the IT admi
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+
+ADMX Info:
+- GP English name: *Select when Quality Updates are received*
+- GP name: *DeferQualityUpdates*
+- GP element: *PauseQualityUpdatesStartId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1947,6 +2189,13 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd
Allows the IT admin to set a device to Semi-Annual Channel train.
+
+ADMX Info:
+- GP name: *DeferUpgrade*
+- GP element: *DeferUpgradePeriodId*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -2055,6 +2304,15 @@ Added in Windows 10, version 1703. Allows the IT Admin to specify the period fo
The default value is 15 (minutes).
+
+ADMX Info:
+- GP English name: *Configure auto-restart warning notifications schedule for updates*
+- GP name: *RestartWarnRemind*
+- GP element: *RestartWarn*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
Supported values are 15, 30, or 60 (minutes).
@@ -2108,6 +2366,15 @@ Added in Windows 10, version 1703. Allows the IT Admin to specify the period fo
The default value is 4 (hours).
+
+ADMX Info:
+- GP English name: *Configure auto-restart warning notifications schedule for updates*
+- GP name: *RestartWarnRemind*
+- GP element: *RestartWarnRemind*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
Supported values are 2, 4, 8, 12, or 24 (hours).
@@ -2159,6 +2426,15 @@ The data type is a integer.
Supported operations are Add, Delete, Get, and Replace.
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateSchDay*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -2219,6 +2495,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateSchEveryWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -2266,6 +2551,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateSchFirstWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -2313,6 +2607,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *ScheduledInstallFourthWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -2360,6 +2663,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *ScheduledInstallSecondWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -2407,6 +2719,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *ScheduledInstallThirdWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -2462,6 +2783,15 @@ Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
The default value is 3.
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateSchTime*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -2505,6 +2835,15 @@ The default value is 3.
Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
+
+ADMX Info:
+- GP English name: *Turn off auto-restart notifications for update installations*
+- GP name: *AutoRestartNotificationDisable*
+- GP element: *AutoRestartNotificationSchd*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -2555,6 +2894,14 @@ The following list shows the supported values:
Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime.
+
+ADMX Info:
+- GP English name: *Update Power Policy for Cart Restarts*
+- GP name: *SetEDURestart*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -2610,6 +2957,15 @@ Allows the device to check for updates from a WSUS server instead of Microsoft U
Supported operations are Get and Replace.
+
+ADMX Info:
+- GP English name: *Specify intranet Microsoft update service location*
+- GP name: *CorpWuURL*
+- GP element: *CorpWUURL_Name*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -2691,6 +3047,15 @@ Value type is string and the default value is an empty string, "". If the settin
> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
+
+ADMX Info:
+- GP English name: *Specify intranet Microsoft update service location*
+- GP name: *CorpWuURL*
+- GP element: *CorpWUContentHost_Name*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -2699,6 +3064,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index b091456af0..3584468818 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - UserRights
@@ -152,6 +152,12 @@ ms.date: 01/30/2018
This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.
+
+GP Info:
+- GP English name: *Access Credential Manager ase a trusted caller*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -195,6 +201,12 @@ This user right is used by Credential Manager during Backup/Restore. No accounts
This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+GP Info:
+- GP English name: *Access this computer from the network*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -238,6 +250,12 @@ This user right determines which users and groups are allowed to connect to the
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+GP Info:
+- GP English name: *Act as part of the operating system*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -281,6 +299,12 @@ This user right allows a process to impersonate any user without authentication.
This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
+
+GP Info:
+- GP English name: *Allow log on locally*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -324,6 +348,12 @@ This user right determines which users can log on to the computer. Note: Modifyi
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users
+
+GP Info:
+- GP English name: *Back up files and directories*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -367,6 +397,12 @@ This user right determines which users can bypass file, directory, registry, and
This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
+
+GP Info:
+- GP English name: *Change the system time*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -410,6 +446,12 @@ This user right determines which users and groups can change the time and date o
This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users.
+
+GP Info:
+- GP English name: *Create global objects*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -453,6 +495,12 @@ This security setting determines whether users can create global objects that ar
This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users
+
+GP Info:
+- GP English name: *Create a pagefile*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -496,6 +544,12 @@ This user right determines which users and groups can call an internal applicati
This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.
+
+GP Info:
+- GP English name: *Create permanent shared objects*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -539,6 +593,12 @@ This user right determines which accounts can be used by processes to create a d
This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
+
+GP Info:
+- GP English name: *Create symbolic links*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -582,6 +642,12 @@ This user right determines if the user can create a symbolic link from the compu
This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+GP Info:
+- GP English name: *Create a token object*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -625,6 +691,12 @@ This user right determines which accounts can be used by processes to create a t
This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+GP Info:
+- GP English name: *Debug programs*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -668,6 +740,12 @@ This user right determines which users can attach a debugger to any process or t
This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
+
+GP Info:
+- GP English name: *Deny access to this computer from the network*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -711,6 +789,12 @@ This user right determines which users are prevented from accessing a computer o
This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
+
+GP Info:
+- GP English name: *Deny log on as a service*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -754,6 +838,12 @@ This security setting determines which service accounts are prevented from regis
This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
+
+GP Info:
+- GP English name: *Deny log on through Remote Desktop Services*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -797,6 +887,12 @@ This user right determines which users and groups are prohibited from logging on
This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
+
+GP Info:
+- GP English name: *Enable computer and user accounts to be trusted for delegation*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -840,6 +936,12 @@ This user right determines which users can set the Trusted for Delegation settin
This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.
+
+GP Info:
+- GP English name: *Generate security audits*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -887,6 +989,12 @@ Assigning this user right to a user allows programs running on behalf of that us
Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
+
+GP Info:
+- GP English name: *Impersonate a client after authentication*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -930,6 +1038,12 @@ Because of these factors, users do not usually need this user right. Warning: If
This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
+
+GP Info:
+- GP English name: *Increase scheduling priority*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -973,6 +1087,12 @@ This user right determines which accounts can use a process with Write Property
This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+GP Info:
+- GP English name: *Load and unload device drivers*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1016,6 +1136,12 @@ This user right determines which users can dynamically load and unload device dr
This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
+
+GP Info:
+- GP English name: *Lock pages in memory*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1059,6 +1185,12 @@ This user right determines which accounts can use a process to keep data in phys
This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
+
+GP Info:
+- GP English name: *Manage auditing and security log*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1102,6 +1234,12 @@ This user right determines which users can specify object access auditing option
This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
+
+GP Info:
+- GP English name: *Perform volume maintenance tasks*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1145,6 +1283,12 @@ This user right determines which users and groups can run maintenance tasks on a
This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
+
+GP Info:
+- GP English name: *Modify firmware environment values*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1188,6 +1332,12 @@ This user right determines who can modify firmware environment values. Firmware
This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
+
+GP Info:
+- GP English name: *Modify an object label*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1231,6 +1381,12 @@ This user right determines which user accounts can modify the integrity label of
This user right determines which users can use performance monitoring tools to monitor the performance of system processes.
+
+GP Info:
+- GP English name: *Profile single process*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1274,6 +1430,12 @@ This user right determines which users can use performance monitoring tools to m
This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
+
+GP Info:
+- GP English name: *Force shutdown from a remote system*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1317,6 +1479,12 @@ This user right determines which users are allowed to shut down a computer from
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
+
+GP Info:
+- GP English name: *Restore files and directories*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1360,6 +1528,12 @@ This user right determines which users can bypass file, directory, registry, and
This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
+
+GP Info:
+- GP English name: *Take ownership of files or other objects*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1368,6 +1542,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 8fa7a54082..358dc3fc01 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - Wifi
@@ -97,6 +97,14 @@ Allow or disallow the device to automatically connect to Wi-Fi hotspots.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services*
+- GP name: *WiFiSense*
+- GP path: *Network/WLAN Service/WLAN Settings*
+- GP ADMX file name: *wlansvc.admx*
+
+
The following list shows the supported values:
@@ -149,6 +157,14 @@ Allow or disallow internet sharing.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Prohibit use of Internet Connection Sharing on your DNS domain network*
+- GP name: *NC_ShowSharedAccessUI*
+- GP path: *Network/Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
The following list shows the supported values:
@@ -370,6 +386,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
new file mode 100644
index 0000000000..c5ac238f1d
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
@@ -0,0 +1,86 @@
+---
+title: Policy CSP - WindowsConnectionManager
+description: Policy CSP - WindowsConnectionManager
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 03/12/2018
+---
+
+# Policy CSP - WindowsConnectionManager
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+
+## WindowsConnectionManager policies
+
+
+
+
+
+
+
+**WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time.
+
+If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances:
+
+Automatic connection attempts
+- When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked.
+- When the computer is already connected to a non-domain based network, automatic connection attempts to domain based networks are blocked.
+
+Manual connection attempts
+- When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed.
+- When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked.
+
+If this policy setting is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit connection to non-domain networks when connected to domain authenticated network*
+- GP name: *WCM_BlockNonDomain*
+- GP path: *Network/Windows Connection Manager*
+- GP ADMX file name: *WCM.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index 65c25b116e..c94d1e9dd5 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - WindowsDefenderSecurityCenter
@@ -124,6 +124,15 @@ Added in Windows 10, version 1709. The company name that is displayed to the use
Value type is string. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Specify contact company name*
+- GP name: *EnterpriseCustomization_CompanyName*
+- GP element: *Presentation_EnterpriseCustomization_CompanyName*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
@@ -167,6 +176,14 @@ Value type is string. Supported operations are Add, Get, Replace and Delete.
Added in Windows 10, next major release. Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+ADMX Info:
+- GP English name: *Hide the Account protection area*
+- GP name: *AccountProtection_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Account protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
Valid values:
@@ -219,6 +236,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide the App and browser protection area*
+- GP name: *AppBrowserProtection_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/App and browser protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -269,6 +294,14 @@ The following list shows the supported values:
Added in Windows 10, next major release. Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+ADMX Info:
+- GP English name: *Hide the Device security area*
+- GP name: *DeviceSecurity_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Device security*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
Valid values:
@@ -324,6 +357,14 @@ Added in Windows 10, version 1709. Use this policy if you want Windows Defender
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide non-critical notifications*
+- GP name: *Notifications_DisableEnhancedNotifications*
+- GP path: *Windows Components/Windows Defender Security Center/Notifications*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -376,6 +417,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide the Family options area*
+- GP name: *FamilyOptions_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Family options*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -428,6 +477,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide the Device performance and health area*
+- GP name: *DevicePerformanceHealth_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Device performance and health*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -480,6 +537,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide the Firewall and network protection area*
+- GP name: *FirewallNetworkProtection_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Firewall and network protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -532,6 +597,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide all notifications*
+- GP name: *Notifications_DisableNotifications*
+- GP path: *Windows Components/Windows Defender Security Center/Notifications*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -584,6 +657,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide the Virus and threat protection area*
+- GP name: *VirusThreatProtection_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -636,6 +717,14 @@ Added in Windows 10, version 1709. Prevent users from making changes to the expl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Prevent users from modifying settings*
+- GP name: *AppBrowserProtection_DisallowExploitProtectionOverride*
+- GP path: *Windows Components/Windows Defender Security Center/App and browser protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -688,6 +777,15 @@ Added in Windows 10, version 1709. The email address that is displayed to users.
Value type is string. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Specify contact email address or Email ID*
+- GP name: *EnterpriseCustomization_Email*
+- GP element: *Presentation_EnterpriseCustomization_Email*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
@@ -733,6 +831,14 @@ Added in Windows 10, version 1709. Enable this policy to display your company na
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+ADMX Info:
+- GP English name: *Configure customized notifications*
+- GP name: *EnterpriseCustomization_EnableCustomizedToasts*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -785,6 +891,14 @@ Added in Windows 10, version 1709. Enable this policy to have your company name
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+ADMX Info:
+- GP English name: *Configure customized contact information*
+- GP name: *EnterpriseCustomization_EnableInAppCustomization*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -832,9 +946,17 @@ The following list shows the supported values:
-Added in Windows 10, next major update. Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center.
+Added in Windows 10, version 1803. Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center.
+
+ADMX Info:
+- GP English name: *Hide the Ransomware data recovery area*
+- GP name: *VirusThreatProtection_HideRansomwareRecovery*
+- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
Valid values:
@@ -882,9 +1004,17 @@ Valid values:
-Added in Windows 10, next major update. Use this policy to hide the Secure boot area in the Windows Defender Security Center.
+Added in Windows 10, version 1803. Use this policy to hide the Secure boot area in the Windows Defender Security Center.
+
+ADMX Info:
+- GP English name: *Hide the Secure boot area*
+- GP name: *DeviceSecurity_HideSecureBoot*
+- GP path: *Windows Components/Windows Defender Security Center/Device security*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
Valid values:
@@ -932,9 +1062,17 @@ Valid values:
-Added in Windows 10, next major update. Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center.
+Added in Windows 10, version 1803. Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center.
+
+ADMX Info:
+- GP English name: *Hide the Security processor (TPM) troubleshooter page*
+- GP name: *DeviceSecurity_HideTPMTroubleshooting*
+- GP path: *Windows Components/Windows Defender Security Center/Device security*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
Valid values:
@@ -987,6 +1125,15 @@ Added in Windows 10, version 1709. The phone number or Skype ID that is displaye
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+ADMX Info:
+- GP English name: *Specify contact phone number or Skype ID*
+- GP name: *EnterpriseCustomization_Phone*
+- GP element: *Presentation_EnterpriseCustomization_Phone*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
@@ -1032,6 +1179,15 @@ Added in Windows 10, version 1709. The help portal URL this is displayed to user
Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+ADMX Info:
+- GP English name: *Specify contact website*
+- GP name: *EnterpriseCustomization_URL*
+- GP element: *Presentation_EnterpriseCustomization_URL*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
@@ -1040,6 +1196,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index 0b0a6104d4..27f04f2813 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - WindowsInkWorkspace
@@ -69,6 +69,14 @@ ms.date: 01/30/2018
Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
+
+ADMX Info:
+- GP English name: *Allow suggested apps in Windows Ink Workspace*
+- GP name: *AllowSuggestedAppsInWindowsInkWorkspace*
+- GP path: *Windows Components/Windows Ink Workspace*
+- GP ADMX file name: *WindowsInkWorkspace.admx*
+
+
The following list shows the supported values:
@@ -119,6 +127,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
+
+ADMX Info:
+- GP English name: *Allow Windows Ink Workspace*
+- GP name: *AllowWindowsInkWorkspace*
+- GP element: *AllowWindowsInkWorkspaceDropdown*
+- GP path: *Windows Components/Windows Ink Workspace*
+- GP ADMX file name: *WindowsInkWorkspace.admx*
+
+
Value type is int. The following list shows the supported values:
@@ -135,6 +152,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 513b783cee..16e39d3e9c 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - WindowsLogon
@@ -25,9 +25,15 @@ ms.date: 01/30/2018
@@ -83,14 +89,14 @@ If you disable or do not configure this policy setting, users can choose which a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off app notifications on the lock screen*
- GP name: *DisableLockScreenAppNotifications*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
-
+
@@ -145,14 +151,53 @@ If you disable or don't configure this policy setting, any user can disconnect t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not display network selection UI*
- GP name: *DontDisplayNetworkSelectionUI*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
-
+
+
+
+
+
+
+**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows local users to be enumerated on domain-joined computers.
+
+If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers.
+
+If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enumerate local users on domain-joined computers*
+- GP name: *EnumerateLocalUsers*
+- GP path: *System/Logon*
+- GP ADMX file name: *logon.admx*
+
+
@@ -196,6 +241,14 @@ ADMX Info:
Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
+
+ADMX Info:
+- GP English name: *Hide entry points for Fast User Switching*
+- GP name: *HideFastUserSwitching*
+- GP path: *System/Logon*
+- GP ADMX file name: *Logon.admx*
+
+
The following list shows the supported values:
@@ -211,6 +264,45 @@ To validate on Desktop, do the following:
+
+
+
+
+**WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system.
+
+If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user.
+
+If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Sign-in last interactive user automatically after a system-initiated restart*
+- GP name: *AutomaticRestartSignOn*
+- GP path: *Windows Components/Windows Logon Options*
+- GP ADMX file name: *WinLogon.admx*
+
+
+
Footnote:
@@ -218,6 +310,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md
new file mode 100644
index 0000000000..ee96a4746f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-windowspowershell.md
@@ -0,0 +1,83 @@
+---
+title: Policy CSP - WindowsPowerShell
+description: Policy CSP - WindowsPowerShell
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 03/12/2018
+---
+
+# Policy CSP - WindowsPowerShell
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+
+## WindowsPowerShell policies
+
+
+
+
+
+
+
+**WindowsPowerShell/TurnOnPowerShellScriptBlockLogging**
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting,
+Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.
+
+If you disable this policy setting, logging of PowerShell script input is disabled.
+
+If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script
+starts or stops. Enabling Invocation Logging generates a high volume of event logs.
+
+Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on PowerShell Script Block Logging*
+- GP name: *EnableScriptBlockLogging*
+- GP path: *Windows Components/Windows PowerShell*
+- GP ADMX file name: *PowerShellExecutionPolicy.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index 5830a05aa4..cafb7be12e 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/12/2018
---
# Policy CSP - WirelessDisplay
@@ -291,6 +291,14 @@ If you set it to 0 (zero), your PC is not discoverable and you cannot project to
Value type is integer.
+
+ADMX Info:
+- GP English name: *Don't allow this PC to be projected to*
+- GP name: *AllowProjectionToPC*
+- GP path: *Windows Components/Connect*
+- GP ADMX file name: *WirelessDisplay.admx*
+
+
The following list shows the supported values:
@@ -422,6 +430,14 @@ If you turn this on, the pairing ceremony for new devices will always require a
Value type is integer.
+
+ADMX Info:
+- GP English name: *Require pin for pairing*
+- GP name: *RequirePinForPairing*
+- GP path: *Windows Components/Connect*
+- GP ADMX file name: *WirelessDisplay.admx*
+
+
The following list shows the supported values:
@@ -437,6 +453,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 72cac2741a..0b6035ae0a 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 03/12/2018
---
# Policy DDF file
@@ -24,7 +24,7 @@ You can download the DDF files from the links below:
- [Download the Policy DDF file for Windows 10, version 1607 release 8C](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)
- [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)
-The XML below is the DDF for Windows 10, version 1709.
+The XML below is the DDF for Windows 10, version 1803.
``` syntax
@@ -50,7 +50,7 @@ The XML below is the DDF for Windows 10, version 1709.
- com.microsoft/6.0/MDM/Policy
+ com.microsoft/7.0/MDM/Policy
@@ -58,8 +58,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -79,8 +79,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -95,6 +95,30 @@ The XML below is the DDF for Windows 10, version 1709.
+
+ MSIAlwaysInstallWithElevatedPrivileges
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ RequirePrivateStoreOnly
@@ -125,8 +149,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -219,8 +243,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -265,8 +289,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -359,8 +383,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -447,6 +471,30 @@ The XML below is the DDF for Windows 10, version 1709.
+
+ AllowConfigurationUpdateForBooksLibrary
+
+
+
+
+
+
+
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowCookies
@@ -875,6 +923,30 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+
+
+
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ EnterpriseModeSiteList
@@ -1131,6 +1203,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ PreventTabPreloading
+
+
+
+
+
+
+
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventUsingLocalHostIPAddressForWebRTC
@@ -1288,14 +1384,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ UseSharedFolderForBooks
+
+
+
+
+
+
+
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ CredentialsUI
-
+
@@ -1340,8 +1460,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -1381,13 +1501,59 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ Display
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Education
-
+
@@ -1480,8 +1646,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -1646,8 +1812,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -1710,30 +1876,6 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
- AllowWindowsConsumerFeatures
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- AllowWindowsSpotlight
@@ -1782,6 +1924,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowWindowsSpotlightOnSettings
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowWindowsSpotlightWindowsWelcomeExperience
@@ -1836,8 +2002,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -3508,6 +3674,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -4828,6 +5018,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LockedDownIntranetZoneAllowAccessToDataSources
@@ -6652,6 +6866,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -7541,13 +7779,203 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BlockedUrls
+
+
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DefaultURL
+
+
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableEndSessionButton
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's end session button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableHomeButton
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableNavigationButtons
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RestartOnIdleTime
+
+
+
+
+
+
+
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Notifications
-
+
@@ -7586,14 +8014,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DisallowTileNotification
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Printers
-
+
@@ -7638,8 +8090,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7684,8 +8136,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7700,6 +8152,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DisableContextMenus
+
+
+
+
+
+
+
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HidePeopleBar
@@ -7754,8 +8230,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7795,6 +8271,52 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Result
@@ -7835,13 +8357,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- RequirePrivateStoreOnly
+ MSIAlwaysInstallWithElevatedPrivileges
- 0
+
@@ -7854,6 +8376,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ phone
+ MSI.admx
+ MSI~AT~WindowsComponents~MSI
+ AlwaysInstallElevated
+ HighestValueMostSecure
+
+
+
+ RequirePrivateStoreOnly
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ RequirePrivateStoreOnlyHighestValueMostSecure
@@ -7883,8 +8437,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7910,8 +8464,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7937,8 +8491,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7984,8 +8538,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -8028,8 +8582,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -8055,8 +8609,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -8082,8 +8636,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -8129,8 +8683,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.1
+ This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
@@ -8145,6 +8699,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAddressBarDropdownLowestValueMostSecure
@@ -8154,8 +8711,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.0
+ This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.
@@ -8169,6 +8726,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAutofillLowestValueMostSecure
@@ -8178,8 +8738,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -8198,13 +8758,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- AllowCookies
+ AllowConfigurationUpdateForBooksLibrary
- This setting lets you configure how your company deals with cookies.
- 2
+ 1
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
@@ -8217,6 +8777,35 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowCookies
+
+
+
+
+ 2
+ This setting lets you configure how your company deals with cookies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ CookiesListBox
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ CookiesLowestValueMostSecure
@@ -8226,8 +8815,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.1
+ This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.
@@ -8242,6 +8831,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDeveloperToolsLowestValueMostSecure
@@ -8251,8 +8843,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.0
+ This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.
@@ -8266,6 +8858,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDoNotTrackLowestValueMostSecure
@@ -8275,8 +8870,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can load extensions in Microsoft Edge.1
+ This setting lets you decide whether employees can load extensions in Microsoft Edge.
@@ -8291,6 +8886,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowExtensionsLowestValueMostSecure
@@ -8300,8 +8898,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.1
+ This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
@@ -8316,6 +8914,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashHighestValueMostSecure
@@ -8325,8 +8926,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Configure the Adobe Flash Click-to-Run setting.1
+ Configure the Adobe Flash Click-to-Run setting.
@@ -8341,6 +8942,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashClickToRunHighestValueMostSecure
@@ -8350,8 +8954,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can browse using InPrivate website browsing.1
+ This setting lets you decide whether employees can browse using InPrivate website browsing.
@@ -8365,6 +8969,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowInPrivateLowestValueMostSecure
@@ -8374,12 +8981,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 1This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.
- 1
@@ -8393,6 +9000,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowCVListLowestValueMostSecure
@@ -8402,8 +9012,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether employees can save their passwords locally, using Password Manager.1
+ This setting lets you decide whether employees can save their passwords locally, using Password Manager.
@@ -8417,6 +9027,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPasswordManagerLowestValueMostSecure
@@ -8426,8 +9039,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.0
+ This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.
@@ -8442,6 +9055,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPopupsLowestValueMostSecure
@@ -8451,13 +9067,13 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
+ 1Allow search engine customization for MDM enrolled devices. Users can change their default search engine.
If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
If this setting is disabled, users will be unable to add search engines or change the default used in the address bar.
This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
- 1
@@ -8471,6 +9087,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchEngineCustomizationLowestValueMostSecure
@@ -8480,8 +9099,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.1
+ This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.
@@ -8495,6 +9114,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchSuggestionsinAddressBarLowestValueMostSecure
@@ -8504,8 +9126,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether to turn on Windows Defender SmartScreen.1
+ This setting lets you decide whether to turn on Windows Defender SmartScreen.
@@ -8519,6 +9141,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSmartScreenLowestValueMostSecure
@@ -8528,8 +9153,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.0
+ Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
@@ -8543,6 +9168,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AlwaysEnableBooksLibraryLowestValueMostSecure
@@ -8552,8 +9180,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether to always clear browsing history on exiting Microsoft Edge.0
+ Specifies whether to always clear browsing history on exiting Microsoft Edge.
@@ -8568,6 +9196,9 @@ This policy will only apply on domain joined machines or when the device is MDM
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowClearingBrowsingDataOnExitLowestValueMostSecure
@@ -8577,6 +9208,7 @@ This policy will only apply on domain joined machines or when the device is MDM
+ Allows you to add up to 5 additional search engines for MDM-enrolled devices.
If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default.
@@ -8584,7 +9216,6 @@ If this setting is turned on, you can add up to 5 additional search engines for
If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -8597,6 +9228,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ ConfigureAdditionalSearchEngines_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfigureAdditionalSearchEnginesLastWrite
@@ -8606,13 +9241,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect.
Note: This policy has no effect when Browser/HomePages is not configured.
Important
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
- 0
@@ -8627,6 +9262,36 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ DisableLockdownOfStartPages
+ LowestValueMostSecure
+
+
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+ 0
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnableExtendedBooksTelemetryLowestValueMostSecure
@@ -8636,8 +9301,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
+ This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
@@ -8651,6 +9316,10 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
text/plainphone
+ MicrosoftEdge.admx
+ EnterSiteListPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnterpriseModeSiteListLastWrite
@@ -8660,8 +9329,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
-
+
@@ -8684,8 +9353,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- Configure first run URL.
+ Configure first run URL.
@@ -8708,13 +9377,13 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+ Configure the Start page URLs for your employees.
Example:
If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
Encapsulate each string with greater than and less than characters like any other XML tag.
Version 1703 or later: If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
-
@@ -8728,6 +9397,10 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
text/plainphone
+ MicrosoftEdge.admx
+ HomePagesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HomePagesLastWrite
@@ -8737,6 +9410,7 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
+ 0This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
@@ -8745,7 +9419,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
- 0
@@ -8759,6 +9432,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ LockdownFavoritesLowestValueMostSecure
@@ -8768,8 +9444,8 @@ If you disable or don't configure this setting (default), employees can add, imp
- Prevent access to the about:flags page in Microsoft Edge.0
+ Prevent access to the about:flags page in Microsoft Edge.
@@ -8783,6 +9459,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventAccessToAboutFlagsInMicrosoftEdgeHighestValueMostSecure
@@ -8792,10 +9471,10 @@ If you disable or don't configure this setting (default), employees can add, imp
+ 0Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -8810,6 +9489,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventFirstRunPageHighestValueMostSecure
@@ -8819,10 +9501,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -8836,6 +9518,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventLiveTileDataCollectionHighestValueMostSecure
@@ -8845,8 +9530,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides0
+ Don't allow Windows Defender SmartScreen warning overrides
@@ -8860,6 +9545,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideHighestValueMostSecure
@@ -8869,8 +9557,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides for unverified files.0
+ Don't allow Windows Defender SmartScreen warning overrides for unverified files.
@@ -8884,6 +9572,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideForFiles
+ HighestValueMostSecure
+
+
+
+ PreventTabPreloading
+
+
+
+
+ 0
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventTabPreloadingHighestValueMostSecure
@@ -8893,8 +9612,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Prevent using localhost IP address for WebRTC0
+ Prevent using localhost IP address for WebRTC
@@ -8908,6 +9627,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HideLocalHostIPAddressHighestValueMostSecure
@@ -8917,6 +9639,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
@@ -8925,7 +9648,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
-
@@ -8938,6 +9660,10 @@ If you disable or don't configure this setting, employees will see the favorites
text/plain
+ MicrosoftEdge.admx
+ ConfiguredFavoritesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfiguredFavoritesLastWrite
@@ -8947,8 +9673,8 @@ If you disable or don't configure this setting, employees will see the favorites
- Sends all intranet traffic over to Internet Explorer.0
+ Sends all intranet traffic over to Internet Explorer.
@@ -8963,6 +9689,9 @@ If you disable or don't configure this setting, employees will see the favorites
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SendIntranetTraffictoInternetExplorerHighestValueMostSecure
@@ -8972,6 +9701,7 @@ If you disable or don't configure this setting, employees will see the favorites
+ Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine.
If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING.
@@ -8979,7 +9709,6 @@ If this setting is turned on, you are setting the default search engine that you
If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -8992,6 +9721,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ SetDefaultSearchEngine_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SetDefaultSearchEngineLastWrite
@@ -9001,8 +9734,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Show message when opening sites in Internet Explorer0
+ Show message when opening sites in Internet Explorer
@@ -9017,6 +9750,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ShowMessageWhenOpeningSitesInInternetExplorerHighestValueMostSecure
@@ -9026,8 +9762,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.0
+ Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
@@ -9042,6 +9778,36 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SyncFavoritesBetweenIEAndMicrosoftEdge
+ LowestValueMostSecure
+
+
+
+ UseSharedFolderForBooks
+
+
+
+
+ 0
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ UseSharedFolderForBooksLowestValueMostSecure
@@ -9071,8 +9837,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9118,8 +9884,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9140,6 +9906,55 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ Display
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Display.admx
+ DisplayGlobalPerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LowestValueMostSecure
+
+
+ Education
@@ -9165,8 +9980,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy sets user's default printer
+ This policy sets user's default printer
@@ -9188,8 +10003,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Boolean that specifies whether or not to prevent user to install new printers0
+ Boolean that specifies whether or not to prevent user to install new printers
@@ -9203,6 +10018,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ Printing.admx
+ Printing~AT~ControlPanel~CplPrinters
+ NoAddPrinterHighestValueMostSecure
@@ -9212,8 +10030,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy provisions per-user network printers
+ This policy provisions per-user network printers
@@ -9255,8 +10073,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy provisions per-user discovery end point to discover cloud printers
+ This policy provisions per-user discovery end point to discover cloud printers
@@ -9278,8 +10096,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Authentication endpoint for acquiring OAuth tokens
+ Authentication endpoint for acquiring OAuth tokens
@@ -9301,8 +10119,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority
+ A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority
@@ -9324,8 +10142,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication
+ Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication
@@ -9347,8 +10165,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Defines the maximum number of printers that should be queried from discovery end point20
+ Defines the maximum number of printers that should be queried from discovery end point
@@ -9361,6 +10179,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LastWrite
@@ -9370,8 +10189,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication
+ Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication
@@ -9413,8 +10232,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9428,6 +10247,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableTailoredExperiencesWithDiagnosticDataLowestValueMostSecure
@@ -9437,33 +10259,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- phone
- LowestValueMostSecure
-
-
-
- AllowWindowsConsumerFeatures
-
-
-
-
- 0
@@ -9478,6 +10275,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableThirdPartySuggestionsLowestValueMostSecure
@@ -9487,8 +10287,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9503,6 +10303,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightFeaturesLowestValueMostSecure
@@ -9512,8 +10315,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9527,6 +10330,36 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightOnActionCenter
+ LowestValueMostSecure
+
+
+
+ AllowWindowsSpotlightOnSettings
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightOnSettingsLowestValueMostSecure
@@ -9536,8 +10369,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9551,6 +10384,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightWindowsWelcomeExperienceLowestValueMostSecure
@@ -9560,8 +10396,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9574,7 +10410,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ ConfigureWindowsSpotlightLowestValueMostSecure
@@ -9604,8 +10444,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9631,8 +10471,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9658,8 +10498,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9685,8 +10525,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9712,8 +10552,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9739,8 +10579,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9766,8 +10606,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9793,8 +10633,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9820,8 +10660,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9847,8 +10687,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9874,8 +10714,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9901,8 +10741,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9928,8 +10768,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9955,8 +10795,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9982,8 +10822,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10009,8 +10849,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10036,8 +10876,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10063,8 +10903,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10090,8 +10930,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10117,8 +10957,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10144,8 +10984,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10171,8 +11011,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10198,8 +11038,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10225,8 +11065,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10252,8 +11092,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10279,8 +11119,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10306,8 +11146,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10333,8 +11173,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10349,8 +11189,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction
- IESF_PolicyExplorerProcesses_2
+ inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling
+ IESF_PolicyExplorerProcesses_5LastWrite
@@ -10360,8 +11200,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10387,8 +11227,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10414,8 +11254,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10441,8 +11281,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10468,8 +11308,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10495,8 +11335,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10522,8 +11362,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10549,8 +11389,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10576,8 +11416,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10603,8 +11443,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10630,8 +11470,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10657,8 +11497,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10684,8 +11524,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10711,8 +11551,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10738,8 +11578,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10765,8 +11605,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10792,8 +11632,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10819,8 +11659,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10846,8 +11686,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10873,8 +11713,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10900,8 +11740,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10927,8 +11767,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10954,8 +11794,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10981,8 +11821,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11008,8 +11848,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11035,8 +11875,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11062,8 +11902,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11089,8 +11929,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11116,8 +11956,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11143,8 +11983,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11170,8 +12010,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11197,8 +12037,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11224,8 +12064,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11251,8 +12091,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11278,8 +12118,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11305,8 +12145,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11332,8 +12172,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11359,8 +12199,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11386,8 +12226,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11413,8 +12253,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11440,8 +12280,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11461,14 +12301,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LastWrite
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyAllowVBScript_1
+ LastWrite
+
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -11494,8 +12361,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11521,8 +12388,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11548,8 +12415,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11575,8 +12442,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11602,8 +12469,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11629,8 +12496,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11656,8 +12523,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11683,8 +12550,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11710,8 +12577,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11737,8 +12604,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11764,8 +12631,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11791,8 +12658,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11818,8 +12685,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11845,8 +12712,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11872,8 +12739,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11899,8 +12766,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11926,8 +12793,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11953,8 +12820,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11980,8 +12847,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12007,8 +12874,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12034,8 +12901,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12061,8 +12928,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12088,8 +12955,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12115,8 +12982,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12142,8 +13009,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12169,8 +13036,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12196,8 +13063,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12223,8 +13090,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12250,8 +13117,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12277,8 +13144,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12304,8 +13171,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12331,8 +13198,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12358,8 +13225,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12385,8 +13252,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12412,8 +13279,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12439,8 +13306,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12466,8 +13333,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12493,8 +13360,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12520,8 +13387,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12547,8 +13414,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12574,8 +13441,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12601,8 +13468,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12628,8 +13495,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12655,8 +13522,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12682,8 +13549,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12709,8 +13576,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12736,8 +13603,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12763,8 +13630,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12790,8 +13657,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12817,8 +13684,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12844,8 +13711,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12871,8 +13738,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12898,8 +13765,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12925,8 +13792,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12946,14 +13813,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LastWrite
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown
+ IZ_PolicyJavaPermissions_4
+ LastWrite
+
+ LockedDownIntranetZoneAllowAccessToDataSources
-
+
@@ -12979,8 +13873,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13006,8 +13900,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13033,8 +13927,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13060,8 +13954,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13087,8 +13981,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13114,8 +14008,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13141,8 +14035,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13168,8 +14062,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13195,8 +14089,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13222,8 +14116,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13249,8 +14143,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13276,8 +14170,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13303,8 +14197,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13330,8 +14224,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13357,8 +14251,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13384,8 +14278,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13411,8 +14305,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13438,8 +14332,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13465,8 +14359,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13492,8 +14386,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13519,8 +14413,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13546,8 +14440,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13573,8 +14467,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13600,8 +14494,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13627,8 +14521,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13654,8 +14548,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13681,8 +14575,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13708,8 +14602,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13735,8 +14629,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13762,8 +14656,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13789,8 +14683,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13816,8 +14710,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13843,8 +14737,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13870,8 +14764,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13897,8 +14791,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13924,8 +14818,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13951,8 +14845,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13978,8 +14872,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14005,8 +14899,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14032,8 +14926,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14059,8 +14953,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14086,8 +14980,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14113,8 +15007,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14140,8 +15034,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14167,8 +15061,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14194,8 +15088,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14221,8 +15115,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14248,8 +15142,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14275,8 +15169,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14302,8 +15196,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14329,8 +15223,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14356,8 +15250,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14373,7 +15267,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phoneinetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation
- IESF_PolicyAllProcesses_9
+ IESF_PolicyExplorerProcesses_9LastWrite
@@ -14383,8 +15277,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14410,8 +15304,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14427,7 +15321,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phoneinetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall
- IESF_PolicyAllProcesses_11
+ IESF_PolicyExplorerProcesses_11LastWrite
@@ -14437,8 +15331,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14464,8 +15358,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14491,8 +15385,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14518,8 +15412,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14545,8 +15439,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14572,8 +15466,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14599,8 +15493,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14626,8 +15520,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14653,8 +15547,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14680,8 +15574,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14707,8 +15601,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14734,8 +15628,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14761,8 +15655,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14788,8 +15682,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14815,8 +15709,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14842,8 +15736,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14869,8 +15763,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14896,8 +15790,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14923,8 +15817,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14950,8 +15844,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14977,8 +15871,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14998,14 +15892,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LastWrite
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyAllowVBScript_7
+ LastWrite
+
+ RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -15031,8 +15952,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15058,8 +15979,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15085,8 +16006,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15112,8 +16033,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15139,8 +16060,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15166,8 +16087,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15193,8 +16114,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15220,8 +16141,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15247,8 +16168,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15274,8 +16195,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15301,8 +16222,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15328,8 +16249,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15355,8 +16276,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15382,8 +16303,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15409,8 +16330,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15436,8 +16357,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15463,8 +16384,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15490,8 +16411,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15517,8 +16438,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15544,8 +16465,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15561,7 +16482,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phoneinetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload
- IESF_PolicyAllProcesses_12
+ IESF_PolicyExplorerProcesses_12LastWrite
@@ -15571,8 +16492,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15588,7 +16509,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phoneinetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions
- IESF_PolicyAllProcesses_8
+ IESF_PolicyExplorerProcesses_8LastWrite
@@ -15598,8 +16519,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15625,8 +16546,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15652,8 +16573,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15679,8 +16600,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15706,8 +16627,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15733,8 +16654,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15760,8 +16681,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15787,8 +16708,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15814,8 +16735,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15841,8 +16762,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15868,8 +16789,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15895,8 +16816,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15922,8 +16843,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15949,8 +16870,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15976,8 +16897,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15998,6 +16919,198 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ BlockedUrls
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ DefaultURL
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ EnableEndSessionButton
+
+
+
+
+ 0
+ Enable/disable kiosk browser's end session button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ EnableHomeButton
+
+
+
+
+ 0
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ EnableNavigationButtons
+
+
+
+
+ 0
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ RestartOnIdleTime
+
+
+
+
+ 0
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+ Notifications
@@ -16023,8 +17136,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -16038,6 +17151,36 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ WPN.admx
+ WPN~AT~StartMenu~NotificationsCategory
+ NoNotificationMirroring
+ LowestValueMostSecure
+
+
+
+ DisallowTileNotification
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ WPN.admx
+ WPN~AT~StartMenu~NotificationsCategory
+ NoTileNotificationLowestValueMostSecure
@@ -16067,8 +17210,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16114,8 +17257,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -16128,6 +17271,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ Taskbar.admx
+ Taskbar~AT~StartMenu~TPMCategory
+ ConfigureTaskbarCalendarLastWrite
@@ -16152,13 +17299,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- HidePeopleBar
+ DisableContextMenus
- Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.0
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
@@ -16173,6 +17320,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ DisableContextMenusInStart
+ LowestValueMostSecure
+
+
+
+ HidePeopleBar
+
+
+
+
+ 0
+ Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ HidePeopleBarLowestValueMostSecure
@@ -16182,8 +17360,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16197,6 +17375,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ LockedStartLayoutLastWrite
@@ -16226,8 +17407,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 3
+
@@ -16240,10 +17421,62 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ DataCollection.admx
+ AllowTelemetry
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ AllowTelemetryLowestValueMostSecure
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ PowerShellExecutionPolicy.admx
+ PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell
+ EnableScriptBlockLogging
+ LastWrite
+
+
+
@@ -16263,7 +17496,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- com.microsoft/6.0/MDM/Policy
+ com.microsoft/7.0/MDM/Policy
@@ -16271,8 +17504,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Policy CSP ConfigOperations
@@ -16293,8 +17526,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Win32 App ADMX Ingestion
@@ -16315,8 +17548,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Win32 App Name
@@ -16337,8 +17570,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Setting Type of Win32 App. Policy Or Preference
@@ -16359,8 +17592,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Unique ID of ADMX file
@@ -16386,8 +17619,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16407,8 +17640,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16501,8 +17734,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16619,8 +17852,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16665,8 +17898,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16705,14 +17938,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ EnableAppUriHandlers
+
+
+
+
+
+
+
+ Enables web-to-app linking, which allows apps to be launched with a http(s) URI
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ ApplicationManagement
-
+
@@ -16919,6 +18176,78 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ MSIAllowUserControlOverInstall
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MSIAlwaysInstallWithElevatedPrivileges
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RequirePrivateStoreOnly
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ RestrictAppDataToSystemVolume
@@ -16968,13 +18297,59 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AppRuntime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowMicrosoftAccountsToBeOptional
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ AppVirtualization
-
+
@@ -17667,8 +19042,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -17731,30 +19106,6 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
- AllowFidoDeviceSignon
-
-
-
-
-
-
-
- Specifies whether FIDO device can be used to sign on.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- AllowSecondaryAuthenticationDevice
@@ -17785,8 +19136,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -17879,8 +19230,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -17925,8 +19276,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -18013,6 +19364,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowPromptedProximalConnections
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LocalDeviceName
@@ -18067,8 +19442,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -18155,6 +19530,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowConfigurationUpdateForBooksLibrary
+
+
+
+
+
+
+
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowCookies
@@ -18583,6 +19982,30 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+
+
+
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ EnterpriseModeSiteList
@@ -18839,6 +20262,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ PreventTabPreloading
+
+
+
+
+
+
+
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventUsingLocalHostIPAddressForWebRTC
@@ -18996,14 +20443,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ UseSharedFolderForBooks
+
+
+
+
+
+
+
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Camera
-
+
@@ -19048,8 +20519,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19121,7 +20592,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -19145,7 +20616,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -19190,8 +20661,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19326,6 +20797,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowPhonePCLinking
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowUSBConnection
@@ -19544,12 +21039,56 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- CredentialProviders
+ ControlPolicyConflict
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MDMWinsOverGP
+
+
+
+
+
+
+ If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ CredentialProviders
+
+
+
+
@@ -19637,13 +21176,59 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ CredentialsDelegation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteHostAllowsDelegationOfNonExportableCredentials
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ CredentialsUI
-
+
@@ -19712,8 +21297,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19782,8 +21367,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19852,8 +21437,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19922,8 +21507,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -20784,8 +22369,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -20849,7 +22434,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- DOCacheHost
+ DODelayBackgroundDownloadFromHttp
@@ -20859,7 +22444,31 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DODelayForegroundDownloadFromHttp
+
+
+
+
+
+
+
+
+
+
@@ -20920,6 +22529,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DOGroupIdSource
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DOMaxCacheAge
@@ -21184,6 +22817,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DOPercentageMaxBackgroundBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DOPercentageMaxDownloadBandwidth
@@ -21208,14 +22865,110 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DOPercentageMaxForegroundBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DORestrictPeerSelectionBy
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DOSetHoursToLimitBackgroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DOSetHoursToLimitForegroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeviceGuard
-
+
@@ -21308,8 +23061,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -21378,8 +23131,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -21758,6 +23511,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ PreventEnablingLockScreenCamera
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventLockScreenSlideShow
@@ -21812,8 +23589,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -21828,6 +23605,78 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ DisablePerProcessDpiForApps
+
+
+
+
+
+
+
+ This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnablePerProcessDpiForApps
+
+
+
+
+
+
+
+ This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TurnOffGdiDPIScalingForApps
@@ -21882,8 +23731,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22024,8 +23873,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22142,8 +23991,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22446,6 +24295,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ AllowWindowsConsumerFeatures
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowWindowsTips
@@ -22500,8 +24373,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22541,13 +24414,83 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ FileExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOffDataExecutionPreventionForExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TurnOffHeapTerminationOnCorruption
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Games
-
+
@@ -22592,8 +24535,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22638,8 +24581,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -24358,6 +26301,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -25678,6 +27645,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LockedDownIntranetZoneAllowAccessToDataSources
@@ -27502,6 +29493,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -28055,7 +30070,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- SecurityZonesUseOnlyMachineSettings
+ SecurityZonesUseOnlyMachineSettings
@@ -28420,8 +30435,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -28557,13 +30572,249 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BlockedUrls
+
+
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DefaultURL
+
+
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableEndSessionButton
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's end session button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableHomeButton
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableNavigationButtons
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RestartOnIdleTime
+
+
+
+
+
+
+
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ LanmanWorkstation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableInsecureGuestLogons
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Licensing
-
+
@@ -28632,8 +30883,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -28958,6 +31209,118 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
+
+ DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+
+
+
+
+
+
+
+ Domain member: Digitally encrypt or sign secure channel data (always)
+
+This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
+
+Domain member: Digitally encrypt secure channel data (when possible)
+Domain member: Digitally sign secure channel data (when possible)
+
+Default: Enabled.
+
+Notes:
+
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+
+
+
+
+
+
+
+ Domain member: Digitally encrypt secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
+
+Default: Enabled.
+
+Important
+
+There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_DisableMachineAccountPasswordChanges
+
+
+
+
+
+
+
+ Domain member: Disable machine account password changes
+
+Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
+
+Default: Disabled.
+
+Notes
+
+This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
+This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
@@ -29164,6 +31527,358 @@ Default: No message.
+
+ InteractiveLogon_SmartCardRemovalBehavior
+
+
+
+
+
+
+
+ Interactive logon: Smart card removal behavior
+
+This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
+
+The options are:
+
+ No Action
+ Lock Workstation
+ Force Logoff
+ Disconnect if a Remote Desktop Services session
+
+If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
+
+If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.
+
+If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
+
+Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+Default: This policy is not defined, which means that the system treats it as No action.
+
+On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
+
+
+
+
+
+
+
+ Microsoft network client: Digitally sign communications (if server agrees)
+
+This security setting determines whether the SMB client attempts to negotiate SMB packet signing.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.
+
+If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
+
+
+
+
+
+
+
+ Microsoft network client: Send unencrypted password to connect to third-party SMB servers
+
+If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
+
+Sending unencrypted passwords is a security risk.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
+
+
+
+
+
+
+ Microsoft network server: Amount of idle time required before suspending a session
+
+This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
+
+Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
+
+For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
+
+Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsAlways
+
+
+
+
+
+
+
+ Microsoft network server: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB server component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
+
+If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
+
+Default:
+
+Disabled for member servers.
+Enabled for domain controllers.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy:
+Microsoft network server: Digitally sign communications (if server agrees)
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server:
+HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
+
+
+
+
+
+
+
+ Microsoft network server: Digitally sign communications (if client agrees)
+
+This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.
+
+If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled on domain controllers only.
+
+Important
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
+
+
+
+
+
+
+
+ Network access: Do not allow anonymous enumeration of SAM accounts
+
+This security setting determines what additional permissions will be granted for anonymous connections to the computer.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
+
+This security option allows additional restrictions to be placed on anonymous connections as follows:
+
+Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
+Disabled: No additional restrictions. Rely on default permissions.
+
+Default on workstations: Enabled.
+Default on server:Enabled.
+
+Important
+
+This policy has no impact on domain controllers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
+
+
+
+
+
+
+
+ Network access: Do not allow anonymous enumeration of SAM accounts and shares
+
+This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
+
+
+
+
+
+
+
+ Network access: Restrict anonymous access to Named Pipes and Shares
+
+When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
+
+Network access: Named pipes that can be accessed anonymously
+Network access: Shares that can be accessed anonymously
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
@@ -29220,6 +31935,266 @@ This policy will be turned off by default on domain joined machines. This would
+
+ NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
+
+
+
+
+
+
+
+ Network security: Do not store LAN Manager hash value on next password change
+
+This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
+
+
+Default on Windows Vista and above: Enabled
+Default on Windows XP: Disabled.
+
+Important
+
+Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_LANManagerAuthenticationLevel
+
+
+
+
+
+
+
+ Network security LAN Manager authentication level
+
+This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
+
+Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
+
+Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
+
+Important
+
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM.
+
+Default:
+
+Windows 2000 and windows XP: send LM and NTLM responses
+
+Windows Server 2003: Send NTLM response only
+
+Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
+
+
+
+
+
+
+
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+
+This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
+Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
+
+
+
+
+
+
+
+ Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
+
+This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured.
+
+If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.
+
+If you do not configure this policy setting, no exceptions will be applied.
+
+The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
+
+
+
+
+
+
+
+ Network security: Restrict NTLM: Audit Incoming NTLM Traffic
+
+This policy setting allows you to audit incoming NTLM traffic.
+
+If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic.
+
+If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option.
+
+If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
+
+
+
+
+
+
+
+ Network security: Restrict NTLM: Incoming NTLM traffic
+
+This policy setting allows you to deny or allow incoming NTLM traffic.
+
+If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests.
+
+If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon.
+
+If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers
+
+
+
+
+
+
+
+ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
+
+This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.
+
+If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
+
+If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer.
+
+If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
@@ -29624,8 +32599,8 @@ The options are:
-
+
@@ -29670,8 +32645,8 @@ The options are:
-
+
@@ -29716,8 +32691,8 @@ The options are:
-
+
@@ -29786,8 +32761,8 @@ The options are:
-
+
@@ -29875,13 +32850,297 @@ The options are:
+
+ MSSecurityGuide
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyUACRestrictionsToLocalAccountsOnNetworkLogon
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureSMBV1ClientDriver
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureSMBV1Server
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableStructuredExceptionHandlingOverwriteProtection
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ WDigestAuthentication
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ MSSLegacy
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IPSourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IPv6SourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ NetworkIsolation
-
+
@@ -30090,12 +33349,12 @@ The options are:
- Power
+ Notifications
-
+
@@ -30110,6 +33369,76 @@ The options are:
+
+ DisallowCloudNotification
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ Power
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowStandbyStatesWhenSleepingOnBattery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowStandbyWhenSleepingPluggedIn
@@ -30332,8 +33661,8 @@ The options are:
-
+
@@ -30402,8 +33731,8 @@ The options are:
-
+
@@ -30835,7 +34164,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -30859,7 +34188,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -30883,7 +34212,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -30931,7 +34260,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -30955,7 +34284,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -30979,7 +34308,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -31027,7 +34356,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31051,7 +34380,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31075,7 +34404,103 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput
+
+
+
+
+
+
+
+ This policy setting specifies whether Windows apps can access the eye tracker.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput_ForceAllowTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput_ForceDenyTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput_UserInControlOfTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
@@ -31123,7 +34548,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31147,7 +34572,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31171,7 +34596,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31219,7 +34644,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31243,7 +34668,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31267,7 +34692,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31315,7 +34740,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -31339,7 +34764,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -31363,7 +34788,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -31411,7 +34836,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -31435,7 +34860,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -31459,7 +34884,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -31507,7 +34932,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -31531,7 +34956,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -31555,7 +34980,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -31603,7 +35028,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -31627,7 +35052,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -31651,7 +35076,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -31699,7 +35124,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -31723,7 +35148,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -31747,7 +35172,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -31795,7 +35220,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -31819,7 +35244,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -31843,7 +35268,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -31891,7 +35316,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -31915,7 +35340,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -31939,7 +35364,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -32179,7 +35604,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32203,7 +35628,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32227,7 +35652,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32266,14 +35691,38 @@ The options are:
+
+ UploadUserActivities
+
+
+
+
+
+
+
+ Allows ActivityFeed to upload published 'User Activities'.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ RemoteAssistance
-
+
@@ -32390,8 +35839,8 @@ The options are:
-
+
@@ -32556,8 +36005,8 @@ The options are:
-
+
@@ -32938,8 +36387,8 @@ The options are:
-
+
@@ -33008,8 +36457,8 @@ The options are:
-
+
@@ -33193,13 +36642,60 @@ The options are:
+
+ RestrictedGroups
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConfigureGroupMembership
+
+
+
+
+
+
+
+ This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
+Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Search
-
+
@@ -33238,6 +36734,30 @@ The options are:
+
+ AllowCortanaInAAD
+
+
+
+
+
+
+
+ This features allows you to show the cortana opt-in page during Windows Setup
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowIndexingEncryptedStoresOrItems
@@ -33430,6 +36950,30 @@ The options are:
+
+ DoNotUseWebResults
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventIndexingLowDiskSpaceMB
@@ -33508,8 +37052,8 @@ The options are:
-
+
@@ -33644,6 +37188,30 @@ The options are:
+
+ ConfigureWindowsPasswords
+
+
+
+
+
+
+
+ Configures the use of passwords for Windows features
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
@@ -33746,8 +37314,8 @@ The options are:
-
+
@@ -34080,8 +37648,8 @@ The options are:
-
+
@@ -34174,8 +37742,8 @@ The options are:
-
+
@@ -34220,8 +37788,8 @@ The options are:
-
+
@@ -34476,6 +38044,30 @@ The options are:
+
+ DisableContextMenus
+
+
+
+
+
+
+
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ ForceStartSize
@@ -34914,8 +38506,8 @@ The options are:
-
+
@@ -34984,8 +38576,8 @@ The options are:
-
+
@@ -35216,6 +38808,54 @@ The options are:
+
+ ConfigureTelemetryOptInChangeNotification
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureTelemetryOptInSettingsUx
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DisableEnterpriseAuthProxy
@@ -35249,7 +38889,7 @@ The options are:
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
@@ -35321,7 +38961,7 @@ The options are:
- This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced) When you configure these policy settings, a Basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: https://go.microsoft.com/fwlink/?linkid=847594. Enabling Enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional Enhanced level telemetry data. This setting has no effect on computers configured to send Full, Basic or Security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy.
+ This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting.
@@ -35362,12 +39002,12 @@ The options are:
- TextInput
+ SystemServices
-
+
@@ -35382,6 +39022,242 @@ The options are:
+
+ ConfigureHomeGroupListenerServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureHomeGroupProviderServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxAccessoryManagementServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxLiveAuthManagerServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxLiveGameSaveServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxLiveNetworkingServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ TaskScheduler
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableXboxGameSaveTask
+
+
+
+
+
+
+
+ This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ TextInput
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowHardwareKeyboardTextSuggestions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowIMELogging
@@ -35598,6 +39474,54 @@ The options are:
+
+ AllowLinguisticDataCollection
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableTouchKeyboardAutoInvokeInDesktopMode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ ExcludeJapaneseIMEExceptJIS0208
@@ -35670,14 +39594,206 @@ The options are:
+
+ ForceTouchKeyboardDockedState
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardDictationButtonAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardEmojiButtonAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardFullModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardHandwritingModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardNarrowModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardSplitModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardWideModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TimeLanguageSettings
-
+
@@ -35722,8 +39838,8 @@ The options are:
-
+
@@ -36026,6 +40142,30 @@ The options are:
+
+ ConfigureFeatureUpdateUninstallPeriod
+
+
+
+
+
+
+
+ Enable enterprises/IT admin to configure feature update uninstall period
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeferFeatureUpdatesPeriodInDays
@@ -36867,13 +41007,735 @@ The options are:
+
+ UserRights
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AccessCredentialManagerAsTrustedCaller
+
+
+
+
+
+
+
+ This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AccessFromNetwork
+
+
+
+
+
+
+
+ This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ActAsPartOfTheOperatingSystem
+
+
+
+
+
+
+
+ This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowLocalLogOn
+
+
+
+
+
+
+
+ This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BackupFilesAndDirectories
+
+
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ChangeSystemTime
+
+
+
+
+
+
+
+ This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreateGlobalObjects
+
+
+
+
+
+
+
+ This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreatePageFile
+
+
+
+
+
+
+
+ This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreatePermanentSharedObjects
+
+
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreateSymbolicLinks
+
+
+
+
+
+
+
+ This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreateToken
+
+
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DebugPrograms
+
+
+
+
+
+
+
+ This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DenyAccessFromNetwork
+
+
+
+
+
+
+
+ This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DenyLocalLogOn
+
+
+
+
+
+
+
+ This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DenyRemoteDesktopServicesLogOn
+
+
+
+
+
+
+
+ This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableDelegation
+
+
+
+
+
+
+
+ This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ GenerateSecurityAudits
+
+
+
+
+
+
+
+ This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ImpersonateClient
+
+
+
+
+
+
+
+ Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+1) The access token that is being impersonated is for this user.
+2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
+3) The requested level is less than Impersonate, such as Anonymous or Identify.
+Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IncreaseSchedulingPriority
+
+
+
+
+
+
+
+ This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LoadUnloadDeviceDrivers
+
+
+
+
+
+
+
+ This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LockMemory
+
+
+
+
+
+
+
+ This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ManageAuditingAndSecurityLog
+
+
+
+
+
+
+
+ This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ManageVolume
+
+
+
+
+
+
+
+ This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ModifyFirmwareEnvironment
+
+
+
+
+
+
+
+ This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ModifyObjectLabel
+
+
+
+
+
+
+
+ This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ProfileSingleProcess
+
+
+
+
+
+
+
+ This user right determines which users can use performance monitoring tools to monitor the performance of system processes.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RemoteShutdown
+
+
+
+
+
+
+
+ This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RestoreFilesAndDirectories
+
+
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TakeOwnership
+
+
+
+
+
+
+
+ This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Wifi
-
+
@@ -37033,13 +41895,59 @@ The options are:
+
+ WindowsConnectionManager
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ WindowsDefenderSecurityCenter
-
+
@@ -37078,6 +41986,30 @@ The options are:
+
+ DisableAccountProtectionUI
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DisableAppBrowserUI
@@ -37102,6 +42034,30 @@ The options are:
+
+ DisableDeviceSecurityUI
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DisableEnhancedNotifications
@@ -37342,6 +42298,78 @@ The options are:
+
+ HideRansomwareDataRecovery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ HideSecureBoot
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ HideTPMTroubleshooting
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Phone
@@ -37396,8 +42424,8 @@ The options are:
-
+
@@ -37466,8 +42494,8 @@ The options are:
-
+
@@ -37530,6 +42558,30 @@ The options are:
+
+ EnumerateLocalUsersOnDomainJoinedComputers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HideFastUserSwitching
@@ -37554,14 +42606,84 @@ The options are:
+
+ SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ WirelessDisplay
-
+
@@ -37824,8 +42946,8 @@ The options are:
- 1
+
@@ -37849,8 +42971,8 @@ The options are:
- 1
+
@@ -37864,6 +42986,9 @@ The options are:
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowCortanaAboveLockLowestValueMostSecure
@@ -37873,8 +42998,8 @@ The options are:
- 1
+
@@ -37917,8 +43042,8 @@ The options are:
- 1
+
@@ -37941,8 +43066,8 @@ The options are:
- 1
+
@@ -37965,8 +43090,8 @@ The options are:
- 1
+
@@ -37989,8 +43114,8 @@ The options are:
-
+
@@ -38032,8 +43157,8 @@ The options are:
-
+
@@ -38079,8 +43204,8 @@ The options are:
-
+
@@ -38094,9 +43219,40 @@ The options are:
text/plainphone
+ WindowsExplorer.admx
+ DefaultAssociationsConfiguration_TextBox
+ WindowsExplorer~AT~WindowsComponents~WindowsExplorer
+ DefaultAssociationsConfigurationLastWrite
+
+ EnableAppUriHandlers
+
+
+
+
+ 1
+ Enables web-to-app linking, which allows apps to be launched with a http(s) URI
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ GroupPolicy.admx
+ GroupPolicy~AT~System~PolicyPolicies
+ EnableAppUriHandlers
+ HighestValueMostSecure
+
+ ApplicationManagement
@@ -38123,8 +43279,8 @@ The options are:
- 65535
+
@@ -38138,6 +43294,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ AppxDeploymentAllowAllTrustedAppsLowestValueMostSecure
@@ -38147,8 +43306,8 @@ The options are:
- 2
+
@@ -38161,6 +43320,10 @@ The options are:
text/plain
+
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ DisableAutoInstallLowestValueMostSecure
@@ -38170,8 +43333,8 @@ The options are:
- 65535
+
@@ -38185,6 +43348,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ AllowDevelopmentWithoutDevLicenseLowestValueMostSecure
@@ -38194,8 +43360,8 @@ The options are:
- 1
+
@@ -38210,6 +43376,9 @@ The options are:
phone
+ GameDVR.admx
+ GameDVR~AT~WindowsComponents~GAMEDVR
+ AllowGameDVRLowestValueMostSecure
@@ -38219,8 +43388,8 @@ The options are:
- 0
+
@@ -38234,6 +43403,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ AllowSharedLocalAppDataLowestValueMostSecure
@@ -38243,8 +43415,8 @@ The options are:
- 1
+
@@ -38268,8 +43440,8 @@ The options are:
-
+
@@ -38292,8 +43464,8 @@ The options are:
- 0
+
@@ -38307,17 +43479,103 @@ The options are:
text/plain
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ DisableStoreAppsLowestValueMostSecure
+
+ MSIAllowUserControlOverInstall
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ MSI.admx
+ MSI~AT~WindowsComponents~MSI
+ EnableUserControl
+ HighestValueMostSecure
+
+
+
+ MSIAlwaysInstallWithElevatedPrivileges
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ MSI.admx
+ MSI~AT~WindowsComponents~MSI
+ AlwaysInstallElevated
+ HighestValueMostSecure
+
+
+
+ RequirePrivateStoreOnly
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ RequirePrivateStoreOnly
+ HighestValueMostSecure
+
+ RestrictAppDataToSystemVolume
- 0
+
@@ -38331,6 +43589,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ RestrictAppDataToSystemVolumeLowestValueMostSecure
@@ -38340,8 +43601,8 @@ The options are:
- 0
+
@@ -38355,10 +43616,60 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ DisableDeploymentToNonSystemVolumesLowestValueMostSecure
+
+ AppRuntime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowMicrosoftAccountsToBeOptional
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ AppXRuntime.admx
+ AppXRuntime~AT~WindowsComponents~AppXRuntime
+ AppxRuntimeMicrosoftAccountsOptional
+ LastWrite
+
+
+ AppVirtualization
@@ -38384,8 +43695,8 @@ The options are:
-
+
@@ -38411,8 +43722,8 @@ The options are:
-
+
@@ -38438,8 +43749,8 @@ The options are:
-
+
@@ -38465,8 +43776,8 @@ The options are:
-
+
@@ -38492,8 +43803,8 @@ The options are:
-
+
@@ -38519,8 +43830,8 @@ The options are:
-
+
@@ -38546,8 +43857,8 @@ The options are:
-
+
@@ -38573,8 +43884,8 @@ The options are:
-
+
@@ -38600,8 +43911,8 @@ The options are:
-
+
@@ -38627,8 +43938,8 @@ The options are:
-
+
@@ -38654,8 +43965,8 @@ The options are:
-
+
@@ -38681,8 +43992,8 @@ The options are:
-
+
@@ -38708,8 +44019,8 @@ The options are:
-
+
@@ -38735,8 +44046,8 @@ The options are:
-
+
@@ -38762,8 +44073,8 @@ The options are:
-
+
@@ -38789,8 +44100,8 @@ The options are:
-
+
@@ -38816,8 +44127,8 @@ The options are:
-
+
@@ -38843,8 +44154,8 @@ The options are:
-
+
@@ -38870,8 +44181,8 @@ The options are:
-
+
@@ -38897,8 +44208,8 @@ The options are:
-
+
@@ -38924,8 +44235,8 @@ The options are:
-
+
@@ -38951,8 +44262,8 @@ The options are:
-
+
@@ -38978,8 +44289,8 @@ The options are:
-
+
@@ -39005,8 +44316,8 @@ The options are:
-
+
@@ -39032,8 +44343,8 @@ The options are:
-
+
@@ -39059,8 +44370,8 @@ The options are:
-
+
@@ -39086,8 +44397,8 @@ The options are:
-
+
@@ -39113,8 +44424,8 @@ The options are:
-
+
@@ -39160,8 +44471,8 @@ The options are:
- Specifies whether password reset is enabled for AAD accounts.0
+ Specifies whether password reset is enabled for AAD accounts.
@@ -39185,8 +44496,8 @@ The options are:
- 1
+
@@ -39203,39 +44514,14 @@ The options are:
LowestValueMostSecure
-
- AllowFidoDeviceSignon
-
-
-
-
- Specifies whether FIDO device can be used to sign on.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- phone
- LowestValueMostSecure
-
- AllowSecondaryAuthenticationDevice
- 0
+
@@ -39249,6 +44535,9 @@ The options are:
text/plain
+ DeviceCredential.admx
+ DeviceCredential~AT~WindowsComponents~MSSecondaryAuthFactorCategory
+ MSSecondaryAuthFactor_AllowSecondaryAuthenticationDeviceLowestValueMostSecure
@@ -39278,8 +44567,8 @@ The options are:
-
+
@@ -39305,8 +44594,8 @@ The options are:
-
+
@@ -39332,8 +44621,8 @@ The options are:
-
+
@@ -39379,8 +44668,8 @@ The options are:
- 6
+
@@ -39423,8 +44712,8 @@ The options are:
- 1
+
@@ -39447,8 +44736,8 @@ The options are:
- 1
+
@@ -39471,8 +44760,32 @@ The options are:
- 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LowestValueMostSecure
+
+
+
+ AllowPromptedProximalConnections
+
+
+
+
+ 1
+
@@ -39495,8 +44808,8 @@ The options are:
-
+
@@ -39518,8 +44831,8 @@ The options are:
-
+
@@ -39561,8 +44874,8 @@ The options are:
- This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.1
+ This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
@@ -39577,6 +44890,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAddressBarDropdownLowestValueMostSecure
@@ -39586,8 +44902,8 @@ The options are:
- This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.0
+ This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.
@@ -39601,6 +44917,9 @@ The options are:
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAutofillLowestValueMostSecure
@@ -39610,8 +44929,8 @@ The options are:
- 1
+
@@ -39630,13 +44949,13 @@ The options are:
- AllowCookies
+ AllowConfigurationUpdateForBooksLibrary
- This setting lets you configure how your company deals with cookies.
- 2
+ 1
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
@@ -39649,6 +44968,35 @@ The options are:
text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowCookies
+
+
+
+
+ 2
+ This setting lets you configure how your company deals with cookies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ CookiesListBox
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ CookiesLowestValueMostSecure
@@ -39658,8 +45006,8 @@ The options are:
- This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.1
+ This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.
@@ -39674,6 +45022,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDeveloperToolsLowestValueMostSecure
@@ -39683,8 +45034,8 @@ The options are:
- This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.0
+ This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.
@@ -39698,6 +45049,9 @@ The options are:
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDoNotTrackLowestValueMostSecure
@@ -39707,8 +45061,8 @@ The options are:
- This setting lets you decide whether employees can load extensions in Microsoft Edge.1
+ This setting lets you decide whether employees can load extensions in Microsoft Edge.
@@ -39723,6 +45077,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowExtensionsLowestValueMostSecure
@@ -39732,8 +45089,8 @@ The options are:
- This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.1
+ This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
@@ -39748,6 +45105,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashHighestValueMostSecure
@@ -39757,8 +45117,8 @@ The options are:
- Configure the Adobe Flash Click-to-Run setting.1
+ Configure the Adobe Flash Click-to-Run setting.
@@ -39773,6 +45133,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashClickToRunHighestValueMostSecure
@@ -39782,8 +45145,8 @@ The options are:
- This setting lets you decide whether employees can browse using InPrivate website browsing.1
+ This setting lets you decide whether employees can browse using InPrivate website browsing.
@@ -39797,6 +45160,9 @@ The options are:
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowInPrivateLowestValueMostSecure
@@ -39806,12 +45172,12 @@ The options are:
+ 1This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.
- 1
@@ -39825,6 +45191,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowCVListLowestValueMostSecure
@@ -39834,8 +45203,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether employees can save their passwords locally, using Password Manager.1
+ This setting lets you decide whether employees can save their passwords locally, using Password Manager.
@@ -39849,6 +45218,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPasswordManagerLowestValueMostSecure
@@ -39858,8 +45230,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.0
+ This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.
@@ -39874,6 +45246,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPopupsLowestValueMostSecure
@@ -39883,13 +45258,13 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
+ 1Allow search engine customization for MDM enrolled devices. Users can change their default search engine.
If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
If this setting is disabled, users will be unable to add search engines or change the default used in the address bar.
This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
- 1
@@ -39903,6 +45278,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchEngineCustomizationLowestValueMostSecure
@@ -39912,8 +45290,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.1
+ This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.
@@ -39927,6 +45305,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchSuggestionsinAddressBarLowestValueMostSecure
@@ -39936,8 +45317,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether to turn on Windows Defender SmartScreen.1
+ This setting lets you decide whether to turn on Windows Defender SmartScreen.
@@ -39951,6 +45332,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSmartScreenLowestValueMostSecure
@@ -39960,8 +45344,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.0
+ Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
@@ -39975,6 +45359,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AlwaysEnableBooksLibraryLowestValueMostSecure
@@ -39984,8 +45371,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether to always clear browsing history on exiting Microsoft Edge.0
+ Specifies whether to always clear browsing history on exiting Microsoft Edge.
@@ -40000,6 +45387,9 @@ This policy will only apply on domain joined machines or when the device is MDM
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowClearingBrowsingDataOnExitLowestValueMostSecure
@@ -40009,6 +45399,7 @@ This policy will only apply on domain joined machines or when the device is MDM
+ Allows you to add up to 5 additional search engines for MDM-enrolled devices.
If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default.
@@ -40016,7 +45407,6 @@ If this setting is turned on, you can add up to 5 additional search engines for
If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -40029,6 +45419,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ ConfigureAdditionalSearchEngines_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfigureAdditionalSearchEnginesLastWrite
@@ -40038,13 +45432,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect.
Note: This policy has no effect when Browser/HomePages is not configured.
Important
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
- 0
@@ -40059,6 +45453,36 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ DisableLockdownOfStartPages
+ LowestValueMostSecure
+
+
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+ 0
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnableExtendedBooksTelemetryLowestValueMostSecure
@@ -40068,8 +45492,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
+ This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
@@ -40083,6 +45507,10 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
text/plainphone
+ MicrosoftEdge.admx
+ EnterSiteListPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnterpriseModeSiteListLastWrite
@@ -40092,8 +45520,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
-
+
@@ -40116,8 +45544,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- Configure first run URL.
+ Configure first run URL.
@@ -40140,13 +45568,13 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+ Configure the Start page URLs for your employees.
Example:
If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
Encapsulate each string with greater than and less than characters like any other XML tag.
Version 1703 or later: If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
-
@@ -40160,6 +45588,10 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
text/plainphone
+ MicrosoftEdge.admx
+ HomePagesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HomePagesLastWrite
@@ -40169,6 +45601,7 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
+ 0This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
@@ -40177,7 +45610,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
- 0
@@ -40191,6 +45623,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ LockdownFavoritesLowestValueMostSecure
@@ -40200,8 +45635,8 @@ If you disable or don't configure this setting (default), employees can add, imp
- Prevent access to the about:flags page in Microsoft Edge.0
+ Prevent access to the about:flags page in Microsoft Edge.
@@ -40215,6 +45650,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventAccessToAboutFlagsInMicrosoftEdgeHighestValueMostSecure
@@ -40224,10 +45662,10 @@ If you disable or don't configure this setting (default), employees can add, imp
+ 0Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -40242,6 +45680,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventFirstRunPageHighestValueMostSecure
@@ -40251,10 +45692,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -40268,6 +45709,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventLiveTileDataCollectionHighestValueMostSecure
@@ -40277,8 +45721,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides0
+ Don't allow Windows Defender SmartScreen warning overrides
@@ -40292,6 +45736,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideHighestValueMostSecure
@@ -40301,8 +45748,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides for unverified files.0
+ Don't allow Windows Defender SmartScreen warning overrides for unverified files.
@@ -40316,6 +45763,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideForFiles
+ HighestValueMostSecure
+
+
+
+ PreventTabPreloading
+
+
+
+
+ 0
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventTabPreloadingHighestValueMostSecure
@@ -40325,8 +45803,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Prevent using localhost IP address for WebRTC0
+ Prevent using localhost IP address for WebRTC
@@ -40340,6 +45818,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HideLocalHostIPAddressHighestValueMostSecure
@@ -40349,6 +45830,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
@@ -40357,7 +45839,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
-
@@ -40370,6 +45851,10 @@ If you disable or don't configure this setting, employees will see the favorites
text/plain
+ MicrosoftEdge.admx
+ ConfiguredFavoritesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfiguredFavoritesLastWrite
@@ -40379,8 +45864,8 @@ If you disable or don't configure this setting, employees will see the favorites
- Sends all intranet traffic over to Internet Explorer.0
+ Sends all intranet traffic over to Internet Explorer.
@@ -40395,6 +45880,9 @@ If you disable or don't configure this setting, employees will see the favorites
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SendIntranetTraffictoInternetExplorerHighestValueMostSecure
@@ -40404,6 +45892,7 @@ If you disable or don't configure this setting, employees will see the favorites
+ Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine.
If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING.
@@ -40411,7 +45900,6 @@ If this setting is turned on, you are setting the default search engine that you
If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -40424,6 +45912,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ SetDefaultSearchEngine_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SetDefaultSearchEngineLastWrite
@@ -40433,8 +45925,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Show message when opening sites in Internet Explorer0
+ Show message when opening sites in Internet Explorer
@@ -40449,6 +45941,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ShowMessageWhenOpeningSitesInInternetExplorerHighestValueMostSecure
@@ -40458,8 +45953,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.0
+ Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
@@ -40474,6 +45969,36 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SyncFavoritesBetweenIEAndMicrosoftEdge
+ LowestValueMostSecure
+
+
+
+ UseSharedFolderForBooks
+
+
+
+
+ 0
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ UseSharedFolderForBooksLowestValueMostSecure
@@ -40503,8 +46028,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40518,6 +46043,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ Camera.admx
+ Camera~AT~WindowsComponents~L_Camera_GroupPolicyCategory
+ L_AllowCameraLowestValueMostSecure
@@ -40547,8 +46075,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy setting specifies whether Windows apps can access cellular data.0
+ This policy setting specifies whether Windows apps can access cellular data.
@@ -40561,6 +46089,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ wwansvc.admx
+ LetAppsAccessCellularData_Enum
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularDataHighestValueMostSecure
@@ -40570,8 +46103,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -40584,6 +46117,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ wwansvc.admx
+ LetAppsAccessCellularData_ForceAllowTheseApps_List
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularDataLastWrite;
@@ -40594,8 +46131,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -40608,6 +46145,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ wwansvc.admx
+ LetAppsAccessCellularData_ForceDenyTheseApps_List
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularDataLastWrite;
@@ -40618,8 +46159,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -40632,6 +46173,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ wwansvc.admx
+ LetAppsAccessCellularData_UserInControlOfTheseApps_List
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularDataLastWrite;
@@ -40642,8 +46187,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40688,8 +46233,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 2
+
@@ -40712,8 +46257,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40726,6 +46271,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -40735,8 +46281,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40749,6 +46295,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ WCM.admx
+ WCM~AT~Network~WCM_Category
+ WCM_DisableRoamingLowestValueMostSecure
@@ -40758,8 +46308,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40782,8 +46332,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40801,14 +46351,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LowestValueMostSecure
+
+ AllowPhonePCLinking
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ grouppolicy.admx
+ grouppolicy~AT~System~PolicyPolicies
+ enableMMX
+ LowestValueMostSecure
+
+ AllowUSBConnection
- 1
+
@@ -40832,8 +46409,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40856,8 +46433,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40880,8 +46457,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40907,8 +46484,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40934,8 +46511,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40961,8 +46538,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -40975,6 +46552,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ ICM.admx
+ ICM~AT~System~InternetManagement~InternetManagement_Settings
+ NoActiveProbeHighestValueMostSecure
@@ -40984,8 +46565,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41011,8 +46592,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41033,6 +46614,50 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ ControlPolicyConflict
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MDMWinsOverGP
+
+
+
+
+ 0
+ If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LastWrite
+
+
+ CredentialProviders
@@ -41058,8 +46683,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41085,8 +46710,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41112,8 +46737,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41131,6 +46756,53 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ CredentialsDelegation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteHostAllowsDelegationOfNonExportableCredentials
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ CredSsp.admx
+ CredSsp~AT~System~CredentialsDelegation
+ AllowProtectedCreds
+ LastWrite
+
+
+ CredentialsUI
@@ -41156,8 +46828,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41183,8 +46855,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41230,8 +46902,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41244,6 +46916,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ Windows Settings~Security Settings~Local Policies~Security Options
+ System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signingLastWrite
@@ -41253,8 +46928,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41296,8 +46971,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41320,8 +46995,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41363,8 +47038,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41389,8 +47064,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41435,8 +47110,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41449,7 +47124,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableArchiveScanningHighestValueMostSecure
@@ -41459,8 +47138,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41473,7 +47152,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_DisableBehaviorMonitoringHighestValueMostSecure
@@ -41483,8 +47166,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41497,7 +47180,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ SpynetReporting
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet
+ SpynetReportingHighestValueMostSecure
@@ -41507,8 +47195,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41521,7 +47209,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableEmailScanningHighestValueMostSecure
@@ -41531,8 +47223,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41545,7 +47237,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableScanningMappedNetworkDrivesForFullScanHighestValueMostSecure
@@ -41555,8 +47251,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41569,7 +47265,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableRemovableDriveScanningHighestValueMostSecure
@@ -41579,8 +47279,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41593,6 +47293,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phoneHighestValueMostSecure
@@ -41603,8 +47304,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41617,7 +47318,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_DisableIOAVProtectionHighestValueMostSecure
@@ -41627,8 +47332,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41641,7 +47346,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_DisableOnAccessProtectionHighestValueMostSecure
@@ -41651,8 +47360,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41665,7 +47374,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ DisableRealtimeMonitoringHighestValueMostSecure
@@ -41675,8 +47388,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41689,7 +47402,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableScanningNetworkFilesHighestValueMostSecure
@@ -41699,8 +47416,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41713,6 +47430,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phoneHighestValueMostSecure
@@ -41723,8 +47441,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41737,7 +47455,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ClientInterface
+ UX_Configuration_UILockdownLastWrite
@@ -41747,8 +47469,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41762,6 +47484,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ ExploitGuard_ASR_ASROnlyExclusions
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR
+ ExploitGuard_ASR_ASROnlyExclusionsLastWrite
@@ -41771,8 +47497,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41786,6 +47512,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ ExploitGuard_ASR_Rules
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR
+ ExploitGuard_ASR_RulesLastWrite
@@ -41795,8 +47525,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 50
+
@@ -41809,7 +47539,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_AvgCPULoadFactor
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_AvgCPULoadFactorLastWrite
@@ -41819,8 +47554,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41833,7 +47568,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ MpCloudBlockLevel
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine
+ MpEngine_MpCloudBlockLevelLastWrite
@@ -41843,8 +47583,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41857,7 +47597,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ MpBafsExtendedTimeout
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine
+ MpEngine_MpBafsExtendedTimeoutLastWrite
@@ -41867,8 +47612,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41882,6 +47627,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ ExploitGuard_ControlledFolderAccess_AllowedApplications
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess
+ ExploitGuard_ControlledFolderAccess_AllowedApplicationsLastWrite
@@ -41891,8 +47640,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41906,6 +47655,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ ExploitGuard_ControlledFolderAccess_ProtectedFolders
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess
+ ExploitGuard_ControlledFolderAccess_ProtectedFoldersLastWrite
@@ -41915,8 +47668,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41929,7 +47682,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Quarantine_PurgeItemsAfterDelay
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Quarantine
+ Quarantine_PurgeItemsAfterDelayLastWrite
@@ -41939,8 +47697,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41953,7 +47711,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess
+ ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccessLastWrite
@@ -41963,8 +47726,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41977,7 +47740,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ ExploitGuard_EnableNetworkProtection
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_NetworkProtection
+ ExploitGuard_EnableNetworkProtectionLastWrite
@@ -41987,8 +47755,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42002,6 +47770,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ Exclusions_PathsList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions
+ Exclusions_PathsLastWrite
@@ -42011,8 +47783,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42026,6 +47798,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ Exclusions_ExtensionsList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions
+ Exclusions_ExtensionsLastWrite
@@ -42035,8 +47811,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42050,6 +47826,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ Exclusions_ProcessesList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions
+ Exclusions_ProcessesLastWrite
@@ -42059,8 +47839,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42073,6 +47853,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phoneLastWrite
@@ -42083,8 +47864,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42097,7 +47878,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ RealtimeProtection_RealtimeScanDirection
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_RealtimeScanDirectionLowestValueMostSecure
@@ -42107,8 +47893,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -42121,7 +47907,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_ScanParameters
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScanParametersLastWrite
@@ -42131,8 +47922,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 120
+
@@ -42145,7 +47936,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_ScheduleQuickScantime
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScheduleQuickScantimeLastWrite
@@ -42155,8 +47951,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42169,7 +47965,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_ScheduleDay
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScheduleDayLastWrite
@@ -42179,8 +47980,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 120
+
@@ -42193,7 +47994,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_ScheduleTime
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScheduleTimeLastWrite
@@ -42203,8 +48009,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 8
+
@@ -42217,7 +48023,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ SignatureUpdate_SignatureUpdateInterval
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate
+ SignatureUpdate_SignatureUpdateIntervalLastWrite
@@ -42227,8 +48038,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -42241,7 +48052,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ SubmitSamplesConsent
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet
+ SubmitSamplesConsentHighestValueMostSecure
@@ -42251,8 +48067,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42266,6 +48082,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ Threats_ThreatSeverityDefaultActionList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Threats
+ Threats_ThreatSeverityDefaultActionLastWrite
@@ -42295,8 +48115,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 10
+
@@ -42309,7 +48129,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ AbsoluteMaxCacheSize
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ AbsoluteMaxCacheSizeLastWrite
@@ -42319,8 +48143,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42334,20 +48158,23 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ AllowVPNPeerCaching
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ AllowVPNPeerCachingLowestValueMostSecure
- DOCacheHost
+ DODelayBackgroundDownloadFromHttp
+ 0
-
-
+
@@ -42358,7 +48185,39 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ DelayBackgroundDownloadFromHttp
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ DelayBackgroundDownloadFromHttp
+ LastWrite
+
+
+
+ DODelayForegroundDownloadFromHttp
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ DelayForegroundDownloadFromHttp
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ DelayForegroundDownloadFromHttpLastWrite
@@ -42368,8 +48227,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -42383,7 +48242,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ DownloadMode
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ DownloadModeLastWrite
@@ -42393,8 +48255,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42407,7 +48269,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ GroupId
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ GroupId
+ LastWrite
+
+
+
+ DOGroupIdSource
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ GroupIdSource
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ GroupIdSourceLastWrite
@@ -42417,8 +48310,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 259200
+
@@ -42431,7 +48324,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxCacheAge
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxCacheAgeLastWrite
@@ -42441,8 +48338,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 20
+
@@ -42455,7 +48352,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxCacheSize
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxCacheSizeLastWrite
@@ -42465,8 +48366,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42479,7 +48380,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxDownloadBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxDownloadBandwidthLastWrite
@@ -42489,8 +48394,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42503,7 +48408,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxUploadBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxUploadBandwidthLastWrite
@@ -42513,8 +48422,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 500
+
@@ -42527,7 +48436,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinBackgroundQos
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinBackgroundQosLastWrite
@@ -42537,8 +48450,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42551,7 +48464,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinBatteryPercentageAllowedToUpload
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinBatteryPercentageAllowedToUploadLastWrite
@@ -42561,8 +48478,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 32
+
@@ -42575,7 +48492,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinDiskSizeAllowedToPeer
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinDiskSizeAllowedToPeerLastWrite
@@ -42585,8 +48506,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 100
+
@@ -42599,7 +48520,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinFileSizeToCache
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinFileSizeToCacheLastWrite
@@ -42609,8 +48534,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 4
+
@@ -42623,7 +48548,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinRAMAllowedToPeer
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinRAMAllowedToPeerLastWrite
@@ -42633,8 +48562,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- %SystemDrive%
+
@@ -42647,7 +48576,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ ModifyCacheDrive
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ ModifyCacheDriveLastWrite
@@ -42657,8 +48589,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 20
+
@@ -42671,7 +48603,39 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MonthlyUploadDataCap
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MonthlyUploadDataCap
+ LastWrite
+
+
+
+ DOPercentageMaxBackgroundBandwidth
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ PercentageMaxBackgroundBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ PercentageMaxBackgroundBandwidthLastWrite
@@ -42681,8 +48645,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42695,10 +48659,191 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phoneLastWrite
+
+ DOPercentageMaxForegroundBandwidth
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ PercentageMaxForegroundBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ PercentageMaxForegroundBandwidth
+ LastWrite
+
+
+
+ DORestrictPeerSelectionBy
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ RestrictPeerSelectionBy
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ RestrictPeerSelectionBy
+ LastWrite
+
+
+
+ DOSetHoursToLimitBackgroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ DeliveryOptimization.admx
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ SetHoursToLimitBackgroundDownloadBandwidth
+ LastWrite
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+ DOSetHoursToLimitForegroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ DeliveryOptimization.admx
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ SetHoursToLimitForegroundDownloadBandwidth
+ LastWrite
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ DeviceGuard
@@ -42725,8 +48870,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Turns On Virtualization Based Security(VBS)0
+ Turns On Virtualization Based Security(VBS)
@@ -42741,6 +48886,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ DeviceGuard.admx
+ DeviceGuard~AT~System~DeviceGuardCategory
+ VirtualizationBasedSecurityHighestValueMostSecure
@@ -42750,8 +48898,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.0
+ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.
@@ -42766,6 +48914,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ DeviceGuard.admx
+ CredentialIsolationDrop
+ DeviceGuard~AT~System~DeviceGuardCategory
+ VirtualizationBasedSecurityLowestValueMostSecureZeroHasNoLimits
@@ -42775,8 +48927,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.1
+ Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.
@@ -42791,6 +48943,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ DeviceGuard.admx
+ RequirePlatformSecurityFeaturesDrop
+ DeviceGuard~AT~System~DeviceGuardCategory
+ VirtualizationBasedSecurityHighestValueMostSecure
@@ -42820,8 +48976,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42847,8 +49003,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42894,8 +49050,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether the user must input a PIN or password when the device resumes from an idle state.1
+ Specifies whether the user must input a PIN or password when the device resumes from an idle state.
@@ -42919,8 +49075,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.0
+ Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
@@ -42933,6 +49089,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LastWrite
@@ -42942,8 +49099,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords.1
+ Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords.
@@ -42956,6 +49113,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -42965,8 +49123,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 02
+ Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0
@@ -42979,6 +49137,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -42988,8 +49147,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether device lock is enabled.1
+ Specifies whether device lock is enabled.
@@ -43002,6 +49161,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -43011,8 +49171,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies when the password expires (in days).0
+ Specifies when the password expires (in days).
@@ -43025,6 +49185,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecureZeroHasNoLimits
@@ -43034,8 +49195,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies how many passwords can be stored in the history that can’t be used.0
+ Specifies how many passwords can be stored in the history that can’t be used.
@@ -43048,6 +49209,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecure
@@ -43057,8 +49219,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -43081,8 +49243,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -43104,8 +49266,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -43118,6 +49280,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecureZeroHasNoLimits
@@ -43127,8 +49290,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.0
+ The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
@@ -43141,6 +49304,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecureZeroHasNoLimits
@@ -43150,8 +49314,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Sets the maximum timeout value for the external display.0
+ Sets the maximum timeout value for the external display.
@@ -43164,6 +49328,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ desktopLowestValueMostSecure
@@ -43174,8 +49339,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.1
+ The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
@@ -43188,6 +49353,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecure
@@ -43197,8 +49363,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies the minimum number or characters required in the PIN or password.4
+ Specifies the minimum number or characters required in the PIN or password.
@@ -43211,6 +49377,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecureZeroHasNoLimits
@@ -43220,12 +49387,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 1This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.
The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.
- 1
@@ -43238,8 +49405,38 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+
+ phone
+ Windows Settings~Security Settings~Account Policies~Password Policy
+ Minimum password age
+ HighestValueMostSecure
+
+
+
+ PreventEnablingLockScreenCamera
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+ phone
- HighestValueMostSecure
+ ControlPanelDisplay.admx
+ ControlPanelDisplay~AT~ControlPanel~Personalization
+ CPL_Personalization_NoLockScreenCamera
+ LastWrite
@@ -43248,8 +49445,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43275,8 +49472,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.10
+ Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
@@ -43289,6 +49486,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ LastWrite
@@ -43313,13 +49511,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- TurnOffGdiDPIScalingForApps
+ DisablePerProcessDpiForApps
- This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+ This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
@@ -43333,6 +49531,95 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plainphone
+ Display.admx
+ DisplayDisablePerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LastWrite
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Display.admx
+ DisplayGlobalPerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LowestValueMostSecure
+
+
+
+ EnablePerProcessDpiForApps
+
+
+
+
+
+ This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Display.admx
+ DisplayEnablePerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LastWrite
+
+
+
+ TurnOffGdiDPIScalingForApps
+
+
+
+
+
+ This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Display.admx
+ DisplayTurnOffGdiDPIScalingPrompt
+ Display~AT~System~DisplayCat
+ DisplayTurnOffGdiDPIScalingLastWrite
@@ -43342,8 +49629,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+ This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
@@ -43357,6 +49644,10 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plainphone
+ Display.admx
+ DisplayTurnOnGdiDPIScalingPrompt
+ Display~AT~System~DisplayCat
+ DisplayTurnOnGdiDPIScalingLastWrite
@@ -43386,8 +49677,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43413,8 +49704,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43440,8 +49731,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43467,8 +49758,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43494,8 +49785,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43541,8 +49832,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43568,8 +49859,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43595,8 +49886,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43622,8 +49913,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43669,8 +49960,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43694,8 +49985,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43709,6 +50000,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowCortanaLowestValueMostSecure
@@ -43718,8 +50012,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43742,8 +50036,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43757,6 +50051,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ FindMy.admx
+ FindMy~AT~WindowsComponents~FindMyDeviceCat
+ FindMy_AllowFindMyDeviceConfigLowestValueMostSecure
@@ -43766,8 +50063,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43790,8 +50087,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43814,8 +50111,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43838,8 +50135,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43862,8 +50159,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43886,8 +50183,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43910,8 +50207,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43935,8 +50232,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43955,13 +50252,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- AllowWindowsTips
+ AllowWindowsConsumerFeatures
+ 0
- 1
@@ -43976,17 +50273,20 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsConsumerFeaturesLowestValueMostSecure
- DoNotShowFeedbackNotifications
+ AllowWindowsTips
+ 1
- 0
@@ -43999,6 +50299,38 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+
+ phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableSoftLanding
+ LowestValueMostSecure
+
+
+
+ DoNotShowFeedbackNotifications
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ FeedbackNotifications.admx
+ FeedbackNotifications~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ DoNotShowFeedbackNotificationsHighestValueMostSecure
@@ -44028,8 +50360,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44042,6 +50374,84 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ ExploitGuard.admx
+ ExploitProtection_Name
+ ExploitGuard~AT~WindowsComponents~WindowsDefenderExploitGuard~ExploitProtection
+ ExploitProtection_Name
+ LastWrite
+
+
+
+
+ FileExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOffDataExecutionPreventionForExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Explorer.admx
+ Explorer~AT~WindowsExplorer
+ NoDataExecutionPrevention
+ LastWrite
+
+
+
+ TurnOffHeapTerminationOnCorruption
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Explorer.admx
+ Explorer~AT~WindowsExplorer
+ NoHeapTerminationOnCorruptionLastWrite
@@ -44071,8 +50481,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services.1
+ Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services.
@@ -44115,8 +50525,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen0
+ Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen
@@ -44131,6 +50541,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ Handwriting.admx
+ Handwriting~AT~WindowsComponents~Handwriting
+ PanelDefaultModeDockedLowestValueMostSecure
@@ -44160,8 +50573,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44187,8 +50600,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44214,8 +50627,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44241,8 +50654,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44268,8 +50681,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44295,8 +50708,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44322,8 +50735,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44349,8 +50762,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44376,8 +50789,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44403,8 +50816,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44430,8 +50843,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44457,8 +50870,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44484,8 +50897,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44511,8 +50924,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44538,8 +50951,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44565,8 +50978,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44592,8 +51005,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44619,8 +51032,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44646,8 +51059,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44673,8 +51086,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44700,8 +51113,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44727,8 +51140,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44754,8 +51167,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44781,8 +51194,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44808,8 +51221,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44835,8 +51248,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44862,8 +51275,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44889,8 +51302,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44905,8 +51318,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction
- IESF_PolicyExplorerProcesses_2
+ inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling
+ IESF_PolicyExplorerProcesses_5LastWrite
@@ -44916,8 +51329,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44943,8 +51356,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44970,8 +51383,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44997,8 +51410,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45024,8 +51437,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45051,8 +51464,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45078,8 +51491,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45105,8 +51518,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45132,8 +51545,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45159,8 +51572,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45186,8 +51599,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45213,8 +51626,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45240,8 +51653,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45267,8 +51680,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45294,8 +51707,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45321,8 +51734,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45348,8 +51761,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45375,8 +51788,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45402,8 +51815,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45429,8 +51842,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45456,8 +51869,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45483,8 +51896,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45510,8 +51923,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45537,8 +51950,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45564,8 +51977,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45591,8 +52004,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45618,8 +52031,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45645,8 +52058,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45672,8 +52085,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45699,8 +52112,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45726,8 +52139,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45753,8 +52166,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45780,8 +52193,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45807,8 +52220,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45834,8 +52247,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45861,8 +52274,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45888,8 +52301,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45915,8 +52328,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45942,8 +52355,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45969,8 +52382,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45996,8 +52409,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46023,8 +52436,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46050,8 +52463,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46071,14 +52484,41 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
LastWrite
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyAllowVBScript_1
+ LastWrite
+
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -46104,8 +52544,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46131,8 +52571,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46158,8 +52598,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46185,8 +52625,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46212,8 +52652,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46239,8 +52679,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46266,8 +52706,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46293,8 +52733,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46320,8 +52760,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46347,8 +52787,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46374,8 +52814,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46401,8 +52841,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46428,8 +52868,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46455,8 +52895,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46482,8 +52922,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46509,8 +52949,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46536,8 +52976,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46563,8 +53003,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46590,8 +53030,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46617,8 +53057,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46644,8 +53084,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46671,8 +53111,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46698,8 +53138,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46725,8 +53165,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46752,8 +53192,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46779,8 +53219,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46806,8 +53246,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46833,8 +53273,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46860,8 +53300,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46887,8 +53327,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46914,8 +53354,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46941,8 +53381,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46968,8 +53408,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46995,8 +53435,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47022,8 +53462,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47049,8 +53489,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47076,8 +53516,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47103,8 +53543,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47130,8 +53570,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47157,8 +53597,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47184,8 +53624,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47211,8 +53651,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47238,8 +53678,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47265,8 +53705,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47292,8 +53732,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47319,8 +53759,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47346,8 +53786,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47373,8 +53813,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47400,8 +53840,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47427,8 +53867,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47454,8 +53894,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47481,8 +53921,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47508,8 +53948,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47535,8 +53975,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47556,14 +53996,41 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
LastWrite
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown
+ IZ_PolicyJavaPermissions_4
+ LastWrite
+
+ LockedDownIntranetZoneAllowAccessToDataSources
-
+
@@ -47589,8 +54056,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47616,8 +54083,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47643,8 +54110,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47670,8 +54137,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47697,8 +54164,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47724,8 +54191,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47751,8 +54218,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47778,8 +54245,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47805,8 +54272,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47832,8 +54299,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47859,8 +54326,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47886,8 +54353,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47913,8 +54380,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47940,8 +54407,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47967,8 +54434,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47994,8 +54461,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48021,8 +54488,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48048,8 +54515,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48075,8 +54542,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48102,8 +54569,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48129,8 +54596,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48156,8 +54623,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48183,8 +54650,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48210,8 +54677,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48237,8 +54704,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48264,8 +54731,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48291,8 +54758,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48318,8 +54785,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48345,8 +54812,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48372,8 +54839,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48399,8 +54866,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48426,8 +54893,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48453,8 +54920,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48480,8 +54947,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48507,8 +54974,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48534,8 +55001,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48561,8 +55028,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48588,8 +55055,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48615,8 +55082,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48642,8 +55109,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48669,8 +55136,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48696,8 +55163,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48723,8 +55190,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48750,8 +55217,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48777,8 +55244,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48804,8 +55271,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48831,8 +55298,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48858,8 +55325,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48885,8 +55352,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48912,8 +55379,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48939,8 +55406,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48966,8 +55433,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48983,7 +55450,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation
- IESF_PolicyAllProcesses_9
+ IESF_PolicyExplorerProcesses_9LastWrite
@@ -48993,8 +55460,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49020,8 +55487,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49037,7 +55504,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall
- IESF_PolicyAllProcesses_11
+ IESF_PolicyExplorerProcesses_11LastWrite
@@ -49047,8 +55514,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49074,8 +55541,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49101,8 +55568,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49128,8 +55595,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49155,8 +55622,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49182,8 +55649,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49209,8 +55676,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49236,8 +55703,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49263,8 +55730,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49290,8 +55757,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49317,8 +55784,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49344,8 +55811,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49371,8 +55838,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49398,8 +55865,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49425,8 +55892,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49452,8 +55919,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49479,8 +55946,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49506,8 +55973,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49533,8 +56000,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49560,8 +56027,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49587,8 +56054,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49608,14 +56075,41 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
LastWrite
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyAllowVBScript_7
+ LastWrite
+
+ RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -49641,8 +56135,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49668,8 +56162,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49695,8 +56189,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49722,8 +56216,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49749,8 +56243,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49776,8 +56270,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49803,8 +56297,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49830,8 +56324,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49857,8 +56351,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49884,8 +56378,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49911,8 +56405,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49938,8 +56432,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49965,8 +56459,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49992,8 +56486,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50019,8 +56513,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50046,8 +56540,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50073,8 +56567,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50100,8 +56594,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50127,8 +56621,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50154,8 +56648,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50171,7 +56665,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload
- IESF_PolicyAllProcesses_12
+ IESF_PolicyExplorerProcesses_12LastWrite
@@ -50181,8 +56675,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50198,7 +56692,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions
- IESF_PolicyAllProcesses_8
+ IESF_PolicyExplorerProcesses_8LastWrite
@@ -50208,8 +56702,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50230,13 +56724,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- SecurityZonesUseOnlyMachineSettings
+ SecurityZonesUseOnlyMachineSettings
-
+
@@ -50262,8 +56756,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50289,8 +56783,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50316,8 +56810,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50343,8 +56837,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50370,8 +56864,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50397,8 +56891,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50424,8 +56918,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50451,8 +56945,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50478,8 +56972,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50505,8 +56999,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50532,8 +57026,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50559,8 +57053,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50586,8 +57080,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50613,8 +57107,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50660,8 +57154,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50687,8 +57181,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50714,8 +57208,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50741,8 +57235,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50768,8 +57262,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50790,6 +57284,245 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ BlockedUrls
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ DefaultURL
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ EnableEndSessionButton
+
+
+
+
+ 0
+ Enable/disable kiosk browser's end session button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ EnableHomeButton
+
+
+
+
+ 0
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ EnableNavigationButtons
+
+
+
+
+ 0
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ RestartOnIdleTime
+
+
+
+
+ 0
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+
+ LanmanWorkstation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableInsecureGuestLogons
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LanmanWorkstation.admx
+ LanmanWorkstation~AT~Network~Cat_LanmanWorkstation
+ Pol_EnableInsecureGuestLogons
+ LowestValueMostSecure
+
+
+ Licensing
@@ -50815,8 +57548,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -50831,6 +57564,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ AVSValidationGP.admx
+ AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform
+ AllowWindowsEntitlementReactivationLowestValueMostSecure
@@ -50840,8 +57576,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 0
+
@@ -50856,6 +57592,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ AVSValidationGP.admx
+ AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform
+ NoAcquireGTLowestValueMostSecure
@@ -50885,6 +57624,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+ 0This policy setting prevents users from adding new Microsoft accounts on this computer.
If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
@@ -50892,7 +57632,6 @@ If you select the "Users can’t add Microsoft accounts" option, users will not
If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
- 0
@@ -50907,6 +57646,8 @@ If you disable or do not configure this policy (recommended), users will be able
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Block Microsoft accountsLastWrite
@@ -50916,6 +57657,7 @@ If you disable or do not configure this policy (recommended), users will be able
+ 0This security setting determines whether the local Administrator account is enabled or disabled.
Notes
@@ -50926,7 +57668,6 @@ Disabling the Administrator account can become a maintenance issue under certain
Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
Default: Disabled.
- 0
@@ -50939,7 +57680,10 @@ Default: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Administrator account statusLastWrite
@@ -50949,12 +57693,12 @@ Default: Disabled.
+ 0This security setting determines if the Guest account is enabled or disabled.
Default: Disabled.
Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
- 0
@@ -50967,7 +57711,10 @@ Note: If the Guest account is disabled and the security option Network Access: S
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Guest account statusLastWrite
@@ -50977,6 +57724,7 @@ Note: If the Guest account is disabled and the security option Network Access: S
+ 1Accounts: Limit local account use of blank passwords to console logon only
This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
@@ -50993,7 +57741,6 @@ Notes
This setting does not affect logons that use domain accounts.
It is possible for applications that use remote interactive logons to bypass this setting.
- 1
@@ -51006,7 +57753,10 @@ It is possible for applications that use remote interactive logons to bypass thi
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Limit local account use of blank passwords to console logon onlyLastWrite
@@ -51016,12 +57766,12 @@ It is possible for applications that use remote interactive logons to bypass thi
+ AdministratorAccounts: Rename administrator account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
Default: Administrator.
- Administrator
@@ -51035,6 +57785,8 @@ Default: Administrator.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Rename administrator accountLastWrite
@@ -51044,12 +57796,12 @@ Default: Administrator.
+ GuestAccounts: Rename guest account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
Default: Guest.
- Guest
@@ -51063,6 +57815,8 @@ Default: Guest.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Rename guest accountLastWrite
@@ -51072,6 +57826,7 @@ Default: Guest.
+ 0Devices: Allowed to format and eject removable media
This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:
@@ -51080,7 +57835,6 @@ Administrators
Administrators and Interactive Users
Default: This policy is not defined and only Administrators have this ability.
- 0
@@ -51094,6 +57848,8 @@ Default: This policy is not defined and only Administrators have this ability.text/plain
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Allowed to format and eject removable mediaLastWrite
@@ -51103,13 +57859,13 @@ Default: This policy is not defined and only Administrators have this ability.
+ 1Devices: Allow undock without having to log on
This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
Default: Enabled.
Caution
Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
- 1
@@ -51122,7 +57878,10 @@ Disabling this policy may tempt users to try and physically remove the laptop fr
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Allow undock without having to log onLastWrite
@@ -51132,6 +57891,7 @@ Disabling this policy may tempt users to try and physically remove the laptop fr
+ 0Devices: Prevent users from installing printer drivers when connecting to shared printers
For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.
@@ -51143,7 +57903,6 @@ Notes
This setting does not affect the ability to add a local printer.
This setting does not affect Administrators.
- 0
@@ -51156,7 +57915,10 @@ This setting does not affect Administrators.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Prevent users from installing printer driversLastWrite
@@ -51166,6 +57928,7 @@ This setting does not affect Administrators.
+ 0Devices: Restrict CD-ROM access to locally logged-on user only
This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.
@@ -51173,7 +57936,6 @@ This security setting determines whether a CD-ROM is accessible to both local an
If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network.
Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
- 0
@@ -51187,6 +57949,129 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Restrict CD-ROM access to locally logged-on user only
+ LastWrite
+
+
+
+ DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+
+
+
+
+ 1
+ Domain member: Digitally encrypt or sign secure channel data (always)
+
+This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
+
+Domain member: Digitally encrypt secure channel data (when possible)
+Domain member: Digitally sign secure channel data (when possible)
+
+Default: Enabled.
+
+Notes:
+
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Digitally encrypt or sign secure channel data (always)
+ LastWrite
+
+
+
+ DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+
+
+
+
+ 1
+ Domain member: Digitally encrypt secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
+
+Default: Enabled.
+
+Important
+
+There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Digitally encrypt secure channel data (when possible)
+ LastWrite
+
+
+
+ DomainMember_DisableMachineAccountPasswordChanges
+
+
+
+
+ 0
+ Domain member: Disable machine account password changes
+
+Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
+
+Default: Disabled.
+
+Notes
+
+This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
+This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Disable machine account password changesLastWrite
@@ -51196,11 +58081,11 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
+ 1Interactive Logon:Display user information when the session is locked
User display name, domain and user names (1)
User display name only (2)
Do not display user information (3)
- 1
@@ -51213,7 +58098,10 @@ Do not display user information (3)
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Display user information when the session is lockedLastWrite
@@ -51223,6 +58111,7 @@ Do not display user information (3)
+ 0Interactive logon: Don't display last signed-in
This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
If this policy is enabled, the username will not be shown.
@@ -51230,7 +58119,6 @@ If this policy is enabled, the username will not be shown.
If this policy is disabled, the username will be shown.
Default: Disabled.
- 0
@@ -51243,7 +58131,10 @@ Default: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Don't display last signed-inLastWrite
@@ -51253,6 +58144,7 @@ Default: Disabled.
+ 1Interactive logon: Don't display username at sign-in
This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
If this policy is enabled, the username will not be shown.
@@ -51260,7 +58152,6 @@ If this policy is enabled, the username will not be shown.
If this policy is disabled, the username will be shown.
Default: Disabled.
- 1
@@ -51273,7 +58164,10 @@ Default: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Don't display username at sign-inLastWrite
@@ -51283,6 +58177,7 @@ Default: Disabled.
+ 1Interactive logon: Do not require CTRL+ALT+DEL
This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
@@ -51293,7 +58188,6 @@ If this policy is disabled, any user is required to press CTRL+ALT+DEL before lo
Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier.
Default on stand-alone computers: Enabled.
- 1
@@ -51306,7 +58200,10 @@ Default on stand-alone computers: Enabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Do not require CTRL+ALT+DELLastWrite
@@ -51316,12 +58213,12 @@ Default on stand-alone computers: Enabled.
+ 0Interactive logon: Machine inactivity limit.
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
Default: not enforced.
- 0
@@ -51334,7 +58231,10 @@ Default: not enforced.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Machine inactivity limitLastWrite
@@ -51344,6 +58244,7 @@ Default: not enforced.
+ Interactive logon: Message text for users attempting to log on
This security setting specifies a text message that is displayed to users when they log on.
@@ -51351,7 +58252,6 @@ This security setting specifies a text message that is displayed to users when t
This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
Default: No message.
-
@@ -51365,6 +58265,8 @@ Default: No message.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Message text for users attempting to log onLastWrite0xF000
@@ -51375,12 +58277,12 @@ Default: No message.
+ Interactive logon: Message title for users attempting to log on
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
Default: No message.
-
@@ -51394,23 +58296,40 @@ Default: No message.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Message title for users attempting to log onLastWrite
- NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
+ InteractiveLogon_SmartCardRemovalBehavior
- Network access: Restrict clients allowed to make remote calls to SAM
+ 0
+ Interactive logon: Smart card removal behavior
-This policy setting allows you to restrict remote rpc connections to SAM.
+This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
-If not selected, the default security descriptor will be used.
+The options are:
-This policy is supported on at least Windows Server 2016.
-
+ No Action
+ Lock Workstation
+ Force Logoff
+ Disconnect if a Remote Desktop Services session
+
+If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
+
+If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.
+
+If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
+
+Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+Default: This policy is not defined, which means that the system treats it as No action.
+
+On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
@@ -51424,19 +58343,38 @@ This policy is supported on at least Windows Server 2016.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Smart card removal behaviorLastWrite
- NetworkSecurity_AllowPKU2UAuthenticationRequests
+ MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
- Network security: Allow PKU2U authentication requests to this computer to use online identities.
-
-This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.1
+ Microsoft network client: Digitally sign communications (if server agrees)
+
+This security setting determines whether the SMB client attempts to negotiate SMB packet signing.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.
+
+If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
@@ -51449,16 +58387,646 @@ This policy will be turned off by default on domain joined machines. This would
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network client: Digitally sign communications (if server agrees)LastWrite
+
+ MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
+
+
+
+
+ 0
+ Microsoft network client: Send unencrypted password to connect to third-party SMB servers
+
+If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
+
+Sending unencrypted passwords is a security risk.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network client: Send unencrypted password to third-party SMB servers
+ LastWrite
+
+
+
+ MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
+
+
+
+ 15
+ Microsoft network server: Amount of idle time required before suspending a session
+
+This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
+
+Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
+
+For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
+
+Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network server: Amount of idle time required before suspending session
+ LowestValueMostSecure
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsAlways
+
+
+
+
+ 0
+ Microsoft network server: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB server component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
+
+If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
+
+Default:
+
+Disabled for member servers.
+Enabled for domain controllers.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy:
+Microsoft network server: Digitally sign communications (if server agrees)
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server:
+HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network server: Digitally sign communications (always)
+ LastWrite
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
+
+
+
+
+ 0
+ Microsoft network server: Digitally sign communications (if client agrees)
+
+This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.
+
+If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled on domain controllers only.
+
+Important
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network server: Digitally sign communications (if client agrees)
+ LastWrite
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
+
+
+
+
+ 1
+ Network access: Do not allow anonymous enumeration of SAM accounts
+
+This security setting determines what additional permissions will be granted for anonymous connections to the computer.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
+
+This security option allows additional restrictions to be placed on anonymous connections as follows:
+
+Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
+Disabled: No additional restrictions. Rely on default permissions.
+
+Default on workstations: Enabled.
+Default on server:Enabled.
+
+Important
+
+This policy has no impact on domain controllers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Do not allow anonymous enumeration of SAM accounts
+ LastWrite
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
+
+
+
+
+ 0
+ Network access: Do not allow anonymous enumeration of SAM accounts and shares
+
+This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Do not allow anonymous enumeration of SAM accounts and shares
+ LastWrite
+
+
+
+ NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
+
+
+
+
+ 1
+ Network access: Restrict anonymous access to Named Pipes and Shares
+
+When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
+
+Network access: Named pipes that can be accessed anonymously
+Network access: Shares that can be accessed anonymously
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Restrict anonymous access to Named Pipes and Shares
+ LastWrite
+
+
+
+ NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
+
+
+
+
+
+ Network access: Restrict clients allowed to make remote calls to SAM
+
+This policy setting allows you to restrict remote rpc connections to SAM.
+
+If not selected, the default security descriptor will be used.
+
+This policy is supported on at least Windows Server 2016.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Restrict clients allowed to make remote calls to SAM
+ LastWrite
+
+
+
+ NetworkSecurity_AllowPKU2UAuthenticationRequests
+
+
+
+
+ 1
+ Network security: Allow PKU2U authentication requests to this computer to use online identities.
+
+This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Allow PKU2U authentication requests to this computer to use online identities.
+ LastWrite
+
+
+
+ NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
+
+
+
+
+ 1
+ Network security: Do not store LAN Manager hash value on next password change
+
+This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
+
+
+Default on Windows Vista and above: Enabled
+Default on Windows XP: Disabled.
+
+Important
+
+Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Do not store LAN Manager hash value on next password change
+ LastWrite
+
+
+
+ NetworkSecurity_LANManagerAuthenticationLevel
+
+
+
+
+ 0
+ Network security LAN Manager authentication level
+
+This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
+
+Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
+
+Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
+
+Important
+
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM.
+
+Default:
+
+Windows 2000 and windows XP: send LM and NTLM responses
+
+Windows Server 2003: Send NTLM response only
+
+Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: LAN Manager authentication level
+ HighestValueMostSecure
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
+
+
+
+
+ 0
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+
+This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
+Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+ HighestValueMostSecure
+
+
+
+ NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
+
+
+
+
+
+ Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
+
+This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured.
+
+If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.
+
+If you do not configure this policy setting, no exceptions will be applied.
+
+The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
+ LastWrite
+
+
+
+ NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
+
+
+
+
+ 0
+ Network security: Restrict NTLM: Audit Incoming NTLM Traffic
+
+This policy setting allows you to audit incoming NTLM traffic.
+
+If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic.
+
+If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option.
+
+If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Restrict NTLM: Audit Incoming NTLM Traffic
+ HighestValueMostSecure
+
+
+
+ NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
+
+
+
+
+ 0
+ Network security: Restrict NTLM: Incoming NTLM traffic
+
+This policy setting allows you to deny or allow incoming NTLM traffic.
+
+If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests.
+
+If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon.
+
+If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Restrict NTLM: Incoming NTLM traffic
+ HighestValueMostSecure
+
+
+
+ NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers
+
+
+
+
+ 0
+ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
+
+This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.
+
+If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
+
+If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer.
+
+If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
+ HighestValueMostSecure
+
+ Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
+ 1Shutdown: Allow system to be shut down without having to log on
This security setting determines whether a computer can be shut down without having to log on to Windows.
@@ -51469,7 +59037,6 @@ When this policy is disabled, the option to shut down the computer does not appe
Default on workstations: Enabled.
Default on servers: Disabled.
- 1
@@ -51482,7 +59049,10 @@ Default on servers: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Shutdown: Allow system to be shut down without having to log onLastWrite
@@ -51492,6 +59062,7 @@ Default on servers: Disabled.
+ 0Shutdown: Clear virtual memory pagefile
This security setting determines whether the virtual memory pagefile is cleared when the system is shut down.
@@ -51501,7 +59072,6 @@ Virtual memory support uses a system pagefile to swap pages of memory to disk wh
When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.
Default: Disabled.
- 0
@@ -51514,7 +59084,10 @@ Default: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Shutdown: Clear virtual memory pagefileLastWrite
@@ -51524,6 +59097,7 @@ Default: Disabled.
+ 0User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
@@ -51531,7 +59105,6 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
- 0
@@ -51544,7 +59117,10 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktopLastWrite
@@ -51554,6 +59130,7 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
+ 5User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
This policy setting controls the behavior of the elevation prompt for administrators.
@@ -51571,7 +59148,6 @@ The options are:
• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
- 5
@@ -51584,7 +59160,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModeLastWrite
@@ -51594,6 +59173,7 @@ The options are:
+ 3User Account Control: Behavior of the elevation prompt for standard users
This policy setting controls the behavior of the elevation prompt for standard users.
@@ -51604,7 +59184,6 @@ The options are:
• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- 3
@@ -51619,6 +59198,8 @@ The options are:
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Behavior of the elevation prompt for standard usersLastWrite
@@ -51628,6 +59209,7 @@ The options are:
+ 1User Account Control: Detect application installations and prompt for elevation
This policy setting controls the behavior of application installation detection for the computer.
@@ -51637,7 +59219,6 @@ The options are:
Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
- 1
@@ -51650,7 +59231,10 @@ Disabled: Application installation packages are not detected and prompted for el
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Detect application installations and prompt for elevationLastWrite
@@ -51660,6 +59244,7 @@ Disabled: Application installation packages are not detected and prompted for el
+ 0User Account Control: Only elevate executable files that are signed and validated
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
@@ -51669,7 +59254,6 @@ The options are:
• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
- 0
@@ -51682,7 +59266,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Only elevate executables that are signed and validatedLastWrite
@@ -51692,6 +59279,7 @@ The options are:
+ 1User Account Control: Only elevate UIAccess applications that are installed in secure locations
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
@@ -51707,7 +59295,6 @@ The options are:
• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
- 1
@@ -51720,7 +59307,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Only elevate UIAccess applications that are installed in secure locationsLastWrite
@@ -51730,6 +59320,7 @@ The options are:
+ 1User Account Control: Turn on Admin Approval Mode
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
@@ -51739,7 +59330,6 @@ The options are:
• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
- 1
@@ -51752,7 +59342,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Run all administrators in Admin Approval ModeLastWrite
@@ -51762,6 +59355,7 @@ The options are:
+ 1User Account Control: Switch to the secure desktop when prompting for elevation
This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
@@ -51771,7 +59365,6 @@ The options are:
• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
- 1
@@ -51784,7 +59377,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Switch to the secure desktop when prompting for elevationLastWrite
@@ -51794,6 +59390,7 @@ The options are:
+ 0User Account Control: Use Admin Approval Mode for the built-in Administrator account
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
@@ -51803,7 +59400,6 @@ The options are:
• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
- 0
@@ -51816,7 +59412,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Admin Approval Mode for the Built-in Administrator accountLastWrite
@@ -51826,6 +59425,7 @@ The options are:
+ 1User Account Control: Virtualize file and registry write failures to per-user locations
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
@@ -51835,7 +59435,6 @@ The options are:
• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
• Disabled: Applications that write data to protected locations fail.
- 1
@@ -51848,7 +59447,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Virtualize file and registry write failures to per-user locationsLastWrite
@@ -51878,8 +59480,8 @@ The options are:
- 0
+
@@ -51892,6 +59494,10 @@ The options are:
text/plain
+
+ LocationProviderAdm.admx
+ LocationProviderAdm~AT~LocationAndSensors~WindowsLocationProvider
+ DisableWindowsLocationProvider_1LastWrite
@@ -51921,8 +59527,8 @@ The options are:
- 1
+
@@ -51937,6 +59543,9 @@ The options are:
phone
+ EdgeUI.admx
+ EdgeUI~AT~WindowsComponents~EdgeUI
+ AllowEdgeSwipeLowestValueMostSecure
@@ -51966,8 +59575,8 @@ The options are:
- 65535
+
@@ -51990,8 +59599,8 @@ The options are:
- 65535
+
@@ -52005,6 +59614,9 @@ The options are:
text/plain
+ WinMaps.admx
+ WinMaps~AT~WindowsComponents~Maps
+ TurnOffAutoUpdateLastWrite
@@ -52034,8 +59646,8 @@ The options are:
- This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services.1
+ This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services.
@@ -52048,6 +59660,10 @@ The options are:
text/plain
+
+ messaging.admx
+ messaging~AT~WindowsComponents~Messaging_Category
+ AllowMessageSyncLowestValueMostSecure
@@ -52057,8 +59673,8 @@ The options are:
- This policy setting allows you to enable or disable the sending and receiving cellular MMS messages.1
+ This policy setting allows you to enable or disable the sending and receiving cellular MMS messages.
@@ -52071,6 +59687,7 @@ The options are:
text/plain
+ desktopLowestValueMostSecure
@@ -52081,8 +59698,8 @@ The options are:
- This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages.1
+ This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages.
@@ -52095,11 +59712,322 @@ The options are:
text/plain
+ desktopLowestValueMostSecure
+
+ MSSecurityGuide
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyUACRestrictionsToLocalAccountsOnNetworkLogon
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0201_LATFP
+ LastWrite
+
+
+
+ ConfigureSMBV1ClientDriver
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0002_SMBv1_ClientDriver
+ LastWrite
+
+
+
+ ConfigureSMBV1Server
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0001_SMBv1_Server
+ LastWrite
+
+
+
+ EnableStructuredExceptionHandlingOverwriteProtection
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0102_SEHOP
+ LastWrite
+
+
+
+ TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0101_WDPUA
+ LastWrite
+
+
+
+ WDigestAuthentication
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0202_WDigestAuthn
+ LastWrite
+
+
+
+
+ MSSLegacy
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_EnableICMPRedirect
+ LastWrite
+
+
+
+ AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_NoNameReleaseOnDemand
+ LastWrite
+
+
+
+ IPSourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_DisableIPSourceRouting
+ LastWrite
+
+
+
+ IPv6SourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_DisableIPSourceRoutingIPv6
+ LastWrite
+
+
+ NetworkIsolation
@@ -52125,8 +60053,8 @@ The options are:
-
+
@@ -52139,6 +60067,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_EnterpriseCloudResourcesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_EnterpriseCloudResourcesLastWrite
@@ -52148,8 +60080,8 @@ The options are:
-
+
@@ -52162,6 +60094,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_Intranet_ProxiesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Intranet_ProxiesLastWrite
@@ -52171,8 +60107,8 @@ The options are:
-
+
@@ -52185,6 +60121,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_PrivateSubnetBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_PrivateSubnetLastWrite
@@ -52194,8 +60134,8 @@ The options are:
- 0
+
@@ -52208,6 +60148,10 @@ The options are:
text/plain
+
+ NetworkIsolation.admx
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Authoritative_SubnetLastWrite
@@ -52217,8 +60161,8 @@ The options are:
-
+
@@ -52240,8 +60184,8 @@ The options are:
-
+
@@ -52254,6 +60198,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_Domain_ProxiesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Domain_ProxiesLastWrite
@@ -52263,8 +60211,8 @@ The options are:
- 0
+
@@ -52277,6 +60225,10 @@ The options are:
text/plain
+
+ NetworkIsolation.admx
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Authoritative_ProxiesLastWrite
@@ -52286,8 +60238,8 @@ The options are:
-
+
@@ -52300,10 +60252,61 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_NeutralResourcesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_NeutralResourcesLastWrite
+
+ Notifications
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DisallowCloudNotification
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ WPN.admx
+ WPN~AT~StartMenu~NotificationsCategory
+ NoCloudNotification
+ LowestValueMostSecure
+
+
+ Power
@@ -52323,14 +60326,41 @@ The options are:
+
+ AllowStandbyStatesWhenSleepingOnBattery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ power.admx
+ Power~AT~System~PowerManagementCat~PowerSleepSettingsCat
+ AllowStandbyStatesDC_2
+ LastWrite
+
+ AllowStandbyWhenSleepingPluggedIn
-
+
@@ -52356,8 +60386,8 @@ The options are:
-
+
@@ -52383,8 +60413,8 @@ The options are:
-
+
@@ -52410,8 +60440,8 @@ The options are:
-
+
@@ -52437,8 +60467,8 @@ The options are:
-
+
@@ -52464,8 +60494,8 @@ The options are:
-
+
@@ -52491,8 +60521,8 @@ The options are:
-
+
@@ -52518,8 +60548,8 @@ The options are:
-
+
@@ -52545,8 +60575,8 @@ The options are:
-
+
@@ -52592,8 +60622,8 @@ The options are:
-
+
@@ -52619,8 +60649,8 @@ The options are:
-
+
@@ -52666,8 +60696,8 @@ The options are:
- 0
+
@@ -52690,8 +60720,8 @@ The options are:
- 1
+
@@ -52706,6 +60736,9 @@ The options are:
10.0.10240
+ Globalization.admx
+ Globalization~AT~ControlPanel~RegionalOptions
+ AllowInputPersonalizationLowestValueMostSecure
@@ -52715,8 +60748,8 @@ The options are:
- 65535
+
@@ -52730,6 +60763,9 @@ The options are:
text/plain
+ UserProfiles.admx
+ UserProfiles~AT~System~UserProfiles
+ DisableAdvertisingIdLowestValueMostSecureZeroHasNoLimits
@@ -52739,8 +60775,8 @@ The options are:
- Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user.1
+ Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user.
@@ -52754,6 +60790,9 @@ The options are:
text/plain
+ OSPolicy.admx
+ OSPolicy~AT~System~PolicyPolicies
+ EnableActivityFeedHighestValueMostSecure
@@ -52763,8 +60802,8 @@ The options are:
- This policy setting specifies whether Windows apps can access account information.0
+ This policy setting specifies whether Windows apps can access account information.
@@ -52777,6 +60816,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfoHighestValueMostSecure
@@ -52786,8 +60830,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -52800,6 +60844,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfoLastWrite;
@@ -52810,8 +60858,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -52824,6 +60872,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfoLastWrite;
@@ -52834,8 +60886,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -52848,6 +60900,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfoLastWrite;
@@ -52858,8 +60914,8 @@ The options are:
- This policy setting specifies whether Windows apps can access the calendar.0
+ This policy setting specifies whether Windows apps can access the calendar.
@@ -52872,6 +60928,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessCalendar_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendarHighestValueMostSecure
@@ -52881,8 +60942,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -52895,6 +60956,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCalendar_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendarLastWrite;
@@ -52905,8 +60970,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -52919,6 +60984,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCalendar_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendarLastWrite;
@@ -52929,8 +60998,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -52943,6 +61012,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCalendar_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendarLastWrite;
@@ -52953,8 +61026,8 @@ The options are:
- This policy setting specifies whether Windows apps can access call history.0
+ This policy setting specifies whether Windows apps can access call history.
@@ -52967,6 +61040,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistoryHighestValueMostSecure
@@ -52976,8 +61054,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -52990,6 +61068,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistoryLastWrite;
@@ -53000,8 +61082,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -53014,6 +61096,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistoryLastWrite;
@@ -53024,8 +61110,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -53038,6 +61124,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistoryLastWrite;
@@ -53048,8 +61138,8 @@ The options are:
- This policy setting specifies whether Windows apps can access the camera.0
+ This policy setting specifies whether Windows apps can access the camera.
@@ -53062,6 +61152,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessCamera_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCameraHighestValueMostSecure
@@ -53071,8 +61166,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53085,6 +61180,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCamera_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCameraLastWrite;
@@ -53095,8 +61194,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53109,6 +61208,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCamera_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCameraLastWrite;
@@ -53119,8 +61222,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53133,6 +61236,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCamera_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCameraLastWrite;
@@ -53143,8 +61250,8 @@ The options are:
- This policy setting specifies whether Windows apps can access contacts.0
+ This policy setting specifies whether Windows apps can access contacts.
@@ -53157,6 +61264,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessContacts_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContactsHighestValueMostSecure
@@ -53166,8 +61278,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -53180,6 +61292,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessContacts_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContactsLastWrite;
@@ -53190,8 +61306,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -53204,6 +61320,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessContacts_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContactsLastWrite;
@@ -53214,8 +61334,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -53228,6 +61348,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessContacts_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContactsLastWrite;
@@ -53238,8 +61362,8 @@ The options are:
- This policy setting specifies whether Windows apps can access email.0
+ This policy setting specifies whether Windows apps can access email.
@@ -53252,6 +61376,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessEmail_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmailHighestValueMostSecure
@@ -53261,8 +61390,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -53275,6 +61404,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessEmail_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmailLastWrite;
@@ -53285,8 +61418,88 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessEmail_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmail
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessEmail_UserInControlOfTheseApps
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessEmail_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmail
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessGazeInput
+
+
+
+
+ 0
+ This policy setting specifies whether Windows apps can access the eye tracker.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ LetAppsAccessGazeInput_ForceAllowTheseApps
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
@@ -53304,13 +61517,37 @@ The options are:
- LetAppsAccessEmail_UserInControlOfTheseApps
+ LetAppsAccessGazeInput_ForceDenyTheseApps
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessGazeInput_UserInControlOfTheseApps
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
@@ -53333,8 +61570,8 @@ The options are:
- This policy setting specifies whether Windows apps can access location.0
+ This policy setting specifies whether Windows apps can access location.
@@ -53347,6 +61584,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessLocation_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocationHighestValueMostSecure
@@ -53356,8 +61598,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -53370,6 +61612,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessLocation_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocationLastWrite;
@@ -53380,8 +61626,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -53394,6 +61640,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessLocation_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocationLastWrite;
@@ -53404,8 +61654,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -53418,6 +61668,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessLocation_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocationLastWrite;
@@ -53428,8 +61682,8 @@ The options are:
- This policy setting specifies whether Windows apps can read or send messages (text or MMS).0
+ This policy setting specifies whether Windows apps can read or send messages (text or MMS).
@@ -53442,6 +61696,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessMessaging_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessagingHighestValueMostSecure
@@ -53451,8 +61710,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -53465,6 +61724,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMessaging_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessagingLastWrite;
@@ -53475,8 +61738,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -53489,6 +61752,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMessaging_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessagingLastWrite;
@@ -53499,8 +61766,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -53513,6 +61780,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMessaging_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessagingLastWrite;
@@ -53523,8 +61794,8 @@ The options are:
- This policy setting specifies whether Windows apps can access the microphone.0
+ This policy setting specifies whether Windows apps can access the microphone.
@@ -53537,6 +61808,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophoneHighestValueMostSecure
@@ -53546,8 +61822,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -53560,6 +61836,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophoneLastWrite;
@@ -53570,8 +61850,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -53584,6 +61864,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophoneLastWrite;
@@ -53594,8 +61878,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -53608,6 +61892,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophoneLastWrite;
@@ -53618,8 +61906,8 @@ The options are:
- This policy setting specifies whether Windows apps can access motion data.0
+ This policy setting specifies whether Windows apps can access motion data.
@@ -53632,6 +61920,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessMotion_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotionHighestValueMostSecure
@@ -53641,8 +61934,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -53655,6 +61948,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMotion_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotionLastWrite;
@@ -53665,8 +61962,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -53679,6 +61976,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMotion_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotionLastWrite;
@@ -53689,8 +61990,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -53703,6 +62004,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMotion_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotionLastWrite;
@@ -53713,8 +62018,8 @@ The options are:
- This policy setting specifies whether Windows apps can access notifications.0
+ This policy setting specifies whether Windows apps can access notifications.
@@ -53727,6 +62032,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessNotifications_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotificationsHighestValueMostSecure
@@ -53736,8 +62046,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -53750,6 +62060,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessNotifications_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotificationsLastWrite;
@@ -53760,8 +62074,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -53774,6 +62088,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessNotifications_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotificationsLastWrite;
@@ -53784,8 +62102,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -53798,6 +62116,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessNotifications_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotificationsLastWrite;
@@ -53808,8 +62130,8 @@ The options are:
- This policy setting specifies whether Windows apps can make phone calls0
+ This policy setting specifies whether Windows apps can make phone calls
@@ -53822,6 +62144,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessPhone_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhoneHighestValueMostSecure
@@ -53831,8 +62158,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -53845,6 +62172,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessPhone_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhoneLastWrite;
@@ -53855,8 +62186,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -53869,6 +62200,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessPhone_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhoneLastWrite;
@@ -53879,8 +62214,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -53893,6 +62228,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessPhone_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhoneLastWrite;
@@ -53903,8 +62242,8 @@ The options are:
- This policy setting specifies whether Windows apps have access to control radios.0
+ This policy setting specifies whether Windows apps have access to control radios.
@@ -53917,6 +62256,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessRadios_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadiosHighestValueMostSecure
@@ -53926,8 +62270,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -53940,6 +62284,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessRadios_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadiosLastWrite;
@@ -53950,8 +62298,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -53964,6 +62312,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessRadios_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadiosLastWrite;
@@ -53974,8 +62326,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -53988,6 +62340,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessRadios_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadiosLastWrite;
@@ -53998,8 +62354,8 @@ The options are:
- This policy setting specifies whether Windows apps can access tasks.0
+ This policy setting specifies whether Windows apps can access tasks.
@@ -54012,6 +62368,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessTasks_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasksHighestValueMostSecure
@@ -54021,8 +62382,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54035,6 +62396,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTasks_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasksLastWrite;
@@ -54045,8 +62410,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54059,6 +62424,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTasks_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasksLastWrite;
@@ -54069,8 +62438,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54083,6 +62452,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTasks_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasksLastWrite;
@@ -54093,8 +62466,8 @@ The options are:
- This policy setting specifies whether Windows apps can access trusted devices.0
+ This policy setting specifies whether Windows apps can access trusted devices.
@@ -54107,6 +62480,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevicesHighestValueMostSecure
@@ -54116,8 +62494,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -54130,6 +62508,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevicesLastWrite;
@@ -54140,8 +62522,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -54154,6 +62536,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevicesLastWrite;
@@ -54164,8 +62550,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -54178,6 +62564,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevicesLastWrite;
@@ -54188,8 +62578,8 @@ The options are:
- This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names.0
+ This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names.
@@ -54202,6 +62592,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfoHighestValueMostSecure
@@ -54211,8 +62606,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
@@ -54225,6 +62620,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfoLastWrite;
@@ -54235,8 +62634,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
@@ -54249,6 +62648,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfoLastWrite;
@@ -54259,8 +62662,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
@@ -54273,6 +62676,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfoLastWrite;
@@ -54283,8 +62690,8 @@ The options are:
- This policy setting specifies whether Windows apps can run in the background.0
+ This policy setting specifies whether Windows apps can run in the background.
@@ -54297,6 +62704,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsRunInBackground_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackgroundHighestValueMostSecure
@@ -54306,8 +62718,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
@@ -54320,6 +62732,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsRunInBackground_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackgroundLastWrite;
@@ -54330,8 +62746,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
@@ -54344,6 +62760,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsRunInBackground_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackgroundLastWrite;
@@ -54354,8 +62774,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
@@ -54368,6 +62788,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsRunInBackground_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackgroundLastWrite;
@@ -54378,8 +62802,8 @@ The options are:
- This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.0
+ This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.
@@ -54392,6 +62816,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevicesHighestValueMostSecure
@@ -54401,8 +62830,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -54415,6 +62844,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevicesLastWrite;
@@ -54425,8 +62858,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -54439,6 +62872,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevicesLastWrite;
@@ -54449,8 +62886,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -54463,6 +62900,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevicesLastWrite;
@@ -54473,8 +62914,8 @@ The options are:
- Allows apps/system to publish 'User Activities' into ActivityFeed.1
+ Allows apps/system to publish 'User Activities' into ActivityFeed.
@@ -54488,6 +62929,36 @@ The options are:
text/plain
+ OSPolicy.admx
+ OSPolicy~AT~System~PolicyPolicies
+ PublishUserActivities
+ HighestValueMostSecure
+
+
+
+ UploadUserActivities
+
+
+
+
+ 1
+ Allows ActivityFeed to upload published 'User Activities'.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ OSPolicy.admx
+ OSPolicy~AT~System~PolicyPolicies
+ UploadUserActivitiesHighestValueMostSecure
@@ -54517,8 +62988,8 @@ The options are:
-
+
@@ -54544,8 +63015,8 @@ The options are:
-
+
@@ -54571,8 +63042,8 @@ The options are:
-
+
@@ -54598,8 +63069,8 @@ The options are:
-
+
@@ -54645,8 +63116,8 @@ The options are:
-
+
@@ -54672,8 +63143,8 @@ The options are:
-
+
@@ -54699,8 +63170,8 @@ The options are:
-
+
@@ -54726,8 +63197,8 @@ The options are:
-
+
@@ -54753,8 +63224,8 @@ The options are:
-
+
@@ -54780,8 +63251,8 @@ The options are:
-
+
@@ -54827,8 +63298,8 @@ The options are:
-
+
@@ -54854,8 +63325,8 @@ The options are:
-
+
@@ -54881,8 +63352,8 @@ The options are:
-
+
@@ -54908,8 +63379,8 @@ The options are:
-
+
@@ -54935,8 +63406,8 @@ The options are:
-
+
@@ -54962,8 +63433,8 @@ The options are:
-
+
@@ -54989,8 +63460,8 @@ The options are:
-
+
@@ -55016,8 +63487,8 @@ The options are:
-
+
@@ -55043,8 +63514,8 @@ The options are:
-
+
@@ -55070,8 +63541,8 @@ The options are:
-
+
@@ -55097,8 +63568,8 @@ The options are:
-
+
@@ -55124,8 +63595,8 @@ The options are:
-
+
@@ -55151,8 +63622,8 @@ The options are:
-
+
@@ -55178,8 +63649,8 @@ The options are:
-
+
@@ -55205,8 +63676,8 @@ The options are:
-
+
@@ -55252,8 +63723,8 @@ The options are:
-
+
@@ -55279,8 +63750,8 @@ The options are:
-
+
@@ -55326,8 +63797,8 @@ The options are:
-
+
@@ -55353,8 +63824,8 @@ The options are:
-
+
@@ -55380,8 +63851,8 @@ The options are:
-
+
@@ -55407,8 +63878,8 @@ The options are:
-
+
@@ -55434,8 +63905,8 @@ The options are:
-
+
@@ -55461,8 +63932,8 @@ The options are:
-
+
@@ -55488,8 +63959,8 @@ The options are:
-
+
@@ -55510,6 +63981,51 @@ The options are:
+
+ RestrictedGroups
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConfigureGroupMembership
+
+
+
+
+
+ This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
+Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+ Search
@@ -55535,8 +64051,8 @@ The options are:
- 2
+
@@ -55549,6 +64065,39 @@ The options are:
text/plain
+
+ Search.admx
+ AllowCloudSearch_Dropdown
+ Search~AT~WindowsComponents~Search
+ AllowCloudSearch
+ LowestValueMostSecure
+
+
+
+ AllowCortanaInAAD
+
+
+
+
+ 0
+ This features allows you to show the cortana opt-in page during Windows Setup
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowCortanaInAADLowestValueMostSecure
@@ -55558,8 +64107,8 @@ The options are:
- 0
+
@@ -55573,6 +64122,9 @@ The options are:
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowIndexingEncryptedStoresOrItemsLowestValueMostSecure
@@ -55582,8 +64134,8 @@ The options are:
- 1
+
@@ -55597,6 +64149,9 @@ The options are:
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowSearchToUseLocationLowestValueMostSecure
@@ -55606,8 +64161,8 @@ The options are:
- 1
+
@@ -55630,8 +64185,8 @@ The options are:
- 0
+
@@ -55644,6 +64199,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowUsingDiacriticsHighestValueMostSecure
@@ -55653,8 +64212,8 @@ The options are:
- 3
+
@@ -55667,6 +64226,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55676,8 +64236,8 @@ The options are:
- 0
+
@@ -55690,6 +64250,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AlwaysUseAutoLangDetectionHighestValueMostSecure
@@ -55699,8 +64263,8 @@ The options are:
- 0
+
@@ -55713,6 +64277,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ DisableBackoffHighestValueMostSecure
@@ -55722,8 +64290,8 @@ The options are:
- 0
+
@@ -55736,17 +64304,48 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ DisableRemovableDriveIndexingHighestValueMostSecure
+
+ DoNotUseWebResults
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ DoNotUseWebResults
+ LowestValueMostSecure
+
+ PreventIndexingLowDiskSpaceMB
- 1
+
@@ -55759,6 +64358,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ StopIndexingOnLimitedHardDriveSpaceHighestValueMostSecure
@@ -55768,8 +64371,8 @@ The options are:
- 1
+
@@ -55782,6 +64385,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ PreventRemoteQueriesHighestValueMostSecure
@@ -55791,8 +64398,8 @@ The options are:
- 1
+
@@ -55805,6 +64412,7 @@ The options are:
text/plain
+ desktopHighestValueMostSecure
@@ -55835,8 +64443,8 @@ The options are:
- 1
+
@@ -55859,8 +64467,8 @@ The options are:
- 1
+
@@ -55884,8 +64492,8 @@ The options are:
- 1
+
@@ -55908,8 +64516,8 @@ The options are:
- 1
+
@@ -55933,8 +64541,8 @@ The options are:
- 0
+
@@ -55949,17 +64557,20 @@ The options are:
phone
+ TPM.admx
+ TPM~AT~System~TPMCategory
+ ClearTPMIfNotReady_NameHighestValueMostSecure
- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
+ ConfigureWindowsPasswords
-
- 0
+ 2
+ Configures the use of passwords for Windows features
@@ -55972,6 +64583,32 @@ The options are:
text/plain
+
+ phone
+ LastWrite
+
+
+
+ PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
@@ -55981,8 +64618,8 @@ The options are:
- 0
+
@@ -55995,6 +64632,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -56004,8 +64642,8 @@ The options are:
- 0
+
@@ -56018,6 +64656,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -56027,8 +64666,8 @@ The options are:
- 0
+
@@ -56041,6 +64680,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -56070,8 +64710,8 @@ The options are:
- 1
+
@@ -56095,8 +64735,8 @@ The options are:
- 1
+
@@ -56119,8 +64759,8 @@ The options are:
- 1
+
@@ -56143,8 +64783,8 @@ The options are:
- 1
+
@@ -56167,8 +64807,8 @@ The options are:
- 1
+
@@ -56192,8 +64832,8 @@ The options are:
- 1
+
@@ -56207,6 +64847,10 @@ The options are:
text/plain
+ ControlPanel.admx
+ CheckBox_AllowOnlineTips
+ ControlPanel~AT~ControlPanel
+ AllowOnlineTipsLowestValueMostSecure
@@ -56216,8 +64860,8 @@ The options are:
- 1
+
@@ -56241,8 +64885,8 @@ The options are:
- 1
+
@@ -56266,8 +64910,8 @@ The options are:
- 1
+
@@ -56291,8 +64935,8 @@ The options are:
- 1
+
@@ -56315,8 +64959,8 @@ The options are:
- 1
+
@@ -56340,8 +64984,8 @@ The options are:
- 1
+
@@ -56364,8 +65008,8 @@ The options are:
-
+
@@ -56378,6 +65022,10 @@ The options are:
text/plain
+ ControlPanel.admx
+ SettingsPageVisibilityBox
+ ControlPanel~AT~ControlPanel
+ SettingsPageVisibilityLastWrite
@@ -56407,8 +65055,8 @@ The options are:
- 0
+
@@ -56423,6 +65071,9 @@ The options are:
phone
+ SmartScreen.admx
+ SmartScreen~AT~WindowsComponents~SmartScreen~Shell
+ ConfigureAppInstallControlHighestValueMostSecure
@@ -56432,8 +65083,8 @@ The options are:
- 1
+
@@ -56448,6 +65099,9 @@ The options are:
phone
+ SmartScreen.admx
+ SmartScreen~AT~WindowsComponents~SmartScreen~Shell
+ ShellConfigureSmartScreenHighestValueMostSecure
@@ -56457,8 +65111,8 @@ The options are:
- 0
+
@@ -56473,6 +65127,10 @@ The options are:
phone
+ SmartScreen.admx
+ ShellConfigureSmartScreen_Dropdown
+ SmartScreen~AT~WindowsComponents~SmartScreen~Shell
+ ShellConfigureSmartScreenHighestValueMostSecure
@@ -56502,8 +65160,8 @@ The options are:
- 1
+
@@ -56517,6 +65175,9 @@ The options are:
text/plain
+ Speech.admx
+ Speech~AT~WindowsComponents~Speech
+ AllowSpeechModelUpdateLowestValueMostSecure
@@ -56546,8 +65207,8 @@ The options are:
- This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56571,8 +65232,8 @@ The options are:
- This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56596,8 +65257,8 @@ The options are:
- This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56621,8 +65282,8 @@ The options are:
- This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56646,8 +65307,8 @@ The options are:
- This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56671,8 +65332,8 @@ The options are:
- This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56696,8 +65357,8 @@ The options are:
- This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56721,8 +65382,8 @@ The options are:
- This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56746,8 +65407,8 @@ The options are:
- This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56771,8 +65432,8 @@ The options are:
- This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56791,13 +65452,13 @@ The options are:
- ForceStartSize
+ DisableContextMenus
- 0
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
@@ -56810,6 +65471,35 @@ The options are:
text/plain
+
+ phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ DisableContextMenusInStart
+ LowestValueMostSecure
+
+
+
+ ForceStartSize
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phoneLastWrite
@@ -56820,8 +65510,8 @@ The options are:
- Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app.0
+ Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app.
@@ -56834,6 +65524,7 @@ The options are:
text/plain
+ phoneLastWrite
@@ -56844,8 +65535,8 @@ The options are:
- Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu.0
+ Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu.
@@ -56868,8 +65559,8 @@ The options are:
- Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app.0
+ Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app.
@@ -56893,8 +65584,8 @@ The options are:
- Enabling this policy hides "Hibernate" from appearing in the power button in the start menu.0
+ Enabling this policy hides "Hibernate" from appearing in the power button in the start menu.
@@ -56917,8 +65608,8 @@ The options are:
- Enabling this policy hides "Lock" from appearing in the user tile in the start menu.0
+ Enabling this policy hides "Lock" from appearing in the user tile in the start menu.
@@ -56941,8 +65632,8 @@ The options are:
- Enabling this policy hides the power button from appearing in the start menu.0
+ Enabling this policy hides the power button from appearing in the start menu.
@@ -56965,8 +65656,8 @@ The options are:
- Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app.0
+ Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app.
@@ -56990,8 +65681,8 @@ The options are:
- Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app.0
+ Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app.
@@ -57006,6 +65697,9 @@ The options are:
phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ HideRecentlyAddedAppsLowestValueMostSecure
@@ -57015,8 +65709,8 @@ The options are:
- Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu.0
+ Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu.
@@ -57039,8 +65733,8 @@ The options are:
- Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu.0
+ Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu.
@@ -57063,8 +65757,8 @@ The options are:
- Enabling this policy hides "Sign out" from appearing in the user tile in the start menu.0
+ Enabling this policy hides "Sign out" from appearing in the user tile in the start menu.
@@ -57087,8 +65781,8 @@ The options are:
- Enabling this policy hides "Sleep" from appearing in the power button in the start menu.0
+ Enabling this policy hides "Sleep" from appearing in the power button in the start menu.
@@ -57111,8 +65805,8 @@ The options are:
- Enabling this policy hides "Switch account" from appearing in the user tile in the start menu.0
+ Enabling this policy hides "Switch account" from appearing in the user tile in the start menu.
@@ -57135,8 +65829,8 @@ The options are:
- Enabling this policy hides the user tile from appearing in the start menu.0
+ Enabling this policy hides the user tile from appearing in the start menu.
@@ -57159,8 +65853,8 @@ The options are:
- This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified.
+ This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified.
@@ -57183,8 +65877,8 @@ The options are:
- This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.0
+ This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.
@@ -57208,8 +65902,8 @@ The options are:
-
+
@@ -57223,6 +65917,9 @@ The options are:
text/plainphone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ LockedStartLayoutLastWrite
@@ -57252,8 +65949,8 @@ The options are:
- 1
+
@@ -57266,7 +65963,11 @@ The options are:
text/plain
+ phone
+ StorageHealth.admx
+ StorageHealth~AT~System~StorageHealth
+ SH_AllowDiskHealthModelUpdatesLastWrite
@@ -57276,8 +65977,8 @@ The options are:
-
+
@@ -57323,8 +66024,8 @@ The options are:
- 2
+
@@ -57337,6 +66038,10 @@ The options are:
text/plain
+
+ AllowBuildPreview.admx
+ AllowBuildPreview~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ AllowBuildPreviewLowestValueMostSecure
@@ -57346,8 +66051,8 @@ The options are:
- 0
+
@@ -57370,8 +66075,8 @@ The options are:
- 1
+
@@ -57384,6 +66089,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -57393,8 +66099,8 @@ The options are:
- 1
+
@@ -57408,6 +66114,9 @@ The options are:
text/plain
+ GroupPolicy.admx
+ GroupPolicy~AT~Network~NetworkFonts
+ EnableFontProvidersLowestValueMostSecure
@@ -57417,8 +66126,8 @@ The options are:
- 1
+
@@ -57431,6 +66140,10 @@ The options are:
text/plain
+
+ Sensors.admx
+ Sensors~AT~LocationAndSensors
+ DisableLocation_2LowestValueMostSecure
@@ -57440,8 +66153,8 @@ The options are:
- 1
+
@@ -57464,8 +66177,8 @@ The options are:
- 3
+
@@ -57478,6 +66191,11 @@ The options are:
text/plain
+
+ DataCollection.admx
+ AllowTelemetry
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ AllowTelemetryLowestValueMostSecure
@@ -57487,8 +66205,8 @@ The options are:
- 1
+
@@ -57511,8 +66229,8 @@ The options are:
-
+
@@ -57533,36 +66251,13 @@ The options are:
- DisableEnterpriseAuthProxy
+ ConfigureTelemetryOptInChangeNotification
- This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- LastWrite
-
-
-
- DisableOneDriveFileSync
-
-
-
-
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.0
+
@@ -57576,6 +66271,93 @@ The options are:
text/plain
+ DataCollection.admx
+ ConfigureTelemetryOptInChangeNotification
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ ConfigureTelemetryOptInChangeNotification
+ HighestValueMostSecure
+
+
+
+ ConfigureTelemetryOptInSettingsUx
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DataCollection.admx
+ ConfigureTelemetryOptInSettingsUx
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ ConfigureTelemetryOptInSettingsUx
+ HighestValueMostSecure
+
+
+
+ DisableEnterpriseAuthProxy
+
+
+
+
+ 0
+ This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DataCollection.admx
+ DisableEnterpriseAuthProxy
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ DisableEnterpriseAuthProxy
+ LastWrite
+
+
+
+ DisableOneDriveFileSync
+
+
+
+
+ 0
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ SkyDrive.admx
+ SkyDrive~AT~WindowsComponents~OneDrive
+ PreventOnedriveFileSyncHighestValueMostSecure
@@ -57585,8 +66367,8 @@ The options are:
-
+
@@ -57612,31 +66394,8 @@ The options are:
+ 0Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- LastWrite
-
-
-
- LimitEnhancedDiagnosticDataWindowsAnalytics
-
-
-
-
- This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced) When you configure these policy settings, a Basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: https://go.microsoft.com/fwlink/?linkid=847594. Enabling Enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional Enhanced level telemetry data. This setting has no effect on computers configured to send Full, Basic or Security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy.
- 0
@@ -57650,6 +66409,34 @@ The options are:
text/plain
+ LastWrite
+
+
+
+ LimitEnhancedDiagnosticDataWindowsAnalytics
+
+
+
+
+ 0
+ This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DataCollection.admx
+ LimitEnhancedDiagnosticDataWindowsAnalytics
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ LimitEnhancedDiagnosticDataWindowsAnalyticsLowestValueMostSecure
@@ -57659,8 +66446,8 @@ The options are:
-
+
@@ -57673,6 +66460,237 @@ The options are:
text/plain
+ DataCollection.admx
+ TelemetryProxyName
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ TelemetryProxy
+ LastWrite
+
+
+
+
+ SystemServices
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConfigureHomeGroupListenerServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ HomeGroup Listener
+ LastWrite
+
+
+
+ ConfigureHomeGroupProviderServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ HomeGroup Provider
+ LastWrite
+
+
+
+ ConfigureXboxAccessoryManagementServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Accessory Management Service
+ LastWrite
+
+
+
+ ConfigureXboxLiveAuthManagerServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Live Auth Manager
+ LastWrite
+
+
+
+ ConfigureXboxLiveGameSaveServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Live Game Save
+ LastWrite
+
+
+
+ ConfigureXboxLiveNetworkingServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Live Networking Service
+ LastWrite
+
+
+
+
+ TaskScheduler
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableXboxGameSaveTask
+
+
+
+
+ 0
+ This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phoneLastWrite
@@ -57696,14 +66714,38 @@ The options are:
+
+ AllowHardwareKeyboardTextSuggestions
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LowestValueMostSecure
+
+ AllowIMELogging
- 1
+
@@ -57727,8 +66769,8 @@ The options are:
- 1
+
@@ -57752,8 +66794,8 @@ The options are:
- 1
+
@@ -57777,8 +66819,8 @@ The options are:
- 1
+
@@ -57791,6 +66833,7 @@ The options are:
text/plain
+ phoneHighestValueMostSecure
@@ -57801,8 +66844,8 @@ The options are:
- 1
+
@@ -57826,8 +66869,8 @@ The options are:
- 1
+
@@ -57851,8 +66894,8 @@ The options are:
- 1
+
@@ -57876,8 +66919,8 @@ The options are:
- 1
+
@@ -57900,8 +66943,8 @@ The options are:
- 1
+
@@ -57916,6 +66959,60 @@ The options are:
phone
+ TextInput.admx
+ TextInput~AT~WindowsComponents~TextInput
+ AllowLanguageFeaturesUninstall
+ LowestValueMostSecure
+
+
+
+ AllowLinguisticDataCollection
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TextInput.admx
+ TextInput~AT~WindowsComponents~TextInput
+ AllowLinguisticDataCollection
+ LowestValueMostSecure
+
+
+
+ EnableTouchKeyboardAutoInvokeInDesktopMode
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
@@ -57925,8 +67022,8 @@ The options are:
- 0
+
@@ -57939,6 +67036,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -57948,8 +67046,8 @@ The options are:
- 0
+
@@ -57962,6 +67060,7 @@ The options are:
text/plain
+ phoneHighestValueMostSecure
@@ -57972,8 +67071,8 @@ The options are:
- 0
+
@@ -57986,10 +67085,203 @@ The options are:
text/plain
+ phoneHighestValueMostSecure
+
+ ForceTouchKeyboardDockedState
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardDictationButtonAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardEmojiButtonAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardFullModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardHandwritingModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardNarrowModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardSplitModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardWideModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+ TimeLanguageSettings
@@ -58016,8 +67308,8 @@ The options are:
- 0
+
@@ -58061,8 +67353,8 @@ The options are:
- 17
+
@@ -58075,6 +67367,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ActiveHoursEndTime
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ ActiveHoursLastWrite
@@ -58084,8 +67381,8 @@ The options are:
- 18
+
@@ -58098,6 +67395,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ActiveHoursMaxRange
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ ActiveHoursMaxRangeLastWrite
@@ -58107,8 +67409,8 @@ The options are:
- 8
+
@@ -58121,6 +67423,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ActiveHoursStartTime
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ ActiveHoursLastWrite
@@ -58130,8 +67437,8 @@ The options are:
- 2
+
@@ -58144,6 +67451,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateMode
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58153,8 +67465,8 @@ The options are:
- 0
+
@@ -58167,6 +67479,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AllowAutoWindowsUpdateDownloadOverMeteredNetworkLastWrite
@@ -58176,8 +67492,8 @@ The options are:
- 0
+
@@ -58190,7 +67506,12 @@ The options are:
text/plain
+ phone
+ WindowsUpdate.admx
+ AllowMUUpdateServiceId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58200,8 +67521,8 @@ The options are:
- 1
+
@@ -58224,8 +67545,8 @@ The options are:
- 1
+
@@ -58239,6 +67560,9 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURLLowestValueMostSecure
@@ -58248,8 +67572,8 @@ The options are:
- 7
+
@@ -58262,6 +67586,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoRestartDeadline
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartDeadlineLastWrite
@@ -58271,8 +67600,8 @@ The options are:
- 15
+
@@ -58286,6 +67615,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ AutoRestartNotificationSchd
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartNotificationConfigLastWrite
@@ -58295,8 +67628,8 @@ The options are:
- 1
+
@@ -58309,6 +67642,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoRestartRequiredNotificationDismissal
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartRequiredNotificationDismissalLastWrite
@@ -58318,8 +67656,8 @@ The options are:
- 16
+
@@ -58333,6 +67671,34 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ BranchReadinessLevelId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdates
+ LastWrite
+
+
+
+ ConfigureFeatureUpdateUninstallPeriod
+
+
+
+
+ 10
+ Enable enterprises/IT admin to configure feature update uninstall period
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
@@ -58342,8 +67708,8 @@ The options are:
- 0
+
@@ -58356,6 +67722,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferFeatureUpdatesPeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdatesLastWrite
@@ -58365,8 +67736,8 @@ The options are:
- 0
+
@@ -58379,6 +67750,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferQualityUpdatesPeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferQualityUpdatesLastWrite
@@ -58388,8 +67764,8 @@ The options are:
- 0
+
@@ -58402,6 +67778,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferUpdatePeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgradeLastWrite
@@ -58411,8 +67792,8 @@ The options are:
- 0
+
@@ -58425,6 +67806,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferUpgradePeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgradeLastWrite
@@ -58434,8 +67820,8 @@ The options are:
- 22
+
@@ -58448,6 +67834,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DetectionFrequency_Hour2
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DetectionFrequency_TitleLastWrite
@@ -58457,8 +67848,8 @@ The options are:
- Do not allow update deferral policies to cause scans against Windows Update0
+ Do not allow update deferral policies to cause scans against Windows Update
@@ -58471,6 +67862,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DisableDualScanLastWrite
@@ -58480,8 +67875,8 @@ The options are:
- 14
+
@@ -58494,6 +67889,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ EngagedRestartDeadline
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ EngagedRestartTransitionScheduleLastWrite
@@ -58503,8 +67903,8 @@ The options are:
- 3
+
@@ -58517,6 +67917,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ EngagedRestartSnoozeSchedule
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ EngagedRestartTransitionScheduleLastWrite
@@ -58526,8 +67931,8 @@ The options are:
- 7
+
@@ -58540,6 +67945,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ EngagedRestartTransitionSchedule
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ EngagedRestartTransitionScheduleLastWrite
@@ -58549,8 +67959,8 @@ The options are:
- 0
+
@@ -58563,6 +67973,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ ExcludeWUDriversInQualityUpdateLastWrite
@@ -58572,8 +67986,8 @@ The options are:
- 0
+
@@ -58586,6 +68000,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ CorpWUFillEmptyContentUrls
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURLLastWrite
@@ -58595,8 +68014,8 @@ The options are:
- 0
+
@@ -58619,8 +68038,8 @@ The options are:
- 0
+
@@ -58643,8 +68062,8 @@ The options are:
- 3
+
@@ -58657,6 +68076,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ManagePreviewBuildsId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ ManagePreviewBuildsLastWrite
@@ -58666,8 +68090,8 @@ The options are:
- 0
+
@@ -58680,6 +68104,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ PauseDeferralsId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgradeLastWrite
@@ -58689,8 +68118,8 @@ The options are:
- 0
+
@@ -58703,6 +68132,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ PauseFeatureUpdatesId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdatesLastWrite
@@ -58712,8 +68146,8 @@ The options are:
-
+
@@ -58726,6 +68160,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ PauseFeatureUpdatesStartId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdatesLastWrite
@@ -58735,8 +68173,8 @@ The options are:
- 0
+
@@ -58749,6 +68187,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ PauseQualityUpdatesId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferQualityUpdatesLastWrite
@@ -58758,8 +68201,8 @@ The options are:
-
+
@@ -58772,6 +68215,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ PauseQualityUpdatesStartId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferQualityUpdatesLastWrite
@@ -58781,8 +68228,8 @@ The options are:
- 4
+
@@ -58795,6 +68242,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -58804,8 +68252,8 @@ The options are:
- 0
+
@@ -58818,6 +68266,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferUpgradePeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgradeLastWrite
@@ -58827,8 +68280,8 @@ The options are:
- 0
+
@@ -58841,6 +68294,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -58850,8 +68304,8 @@ The options are:
- 0
+
@@ -58864,6 +68318,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchDay
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58873,8 +68332,8 @@ The options are:
- 1
+
@@ -58887,6 +68346,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchEveryWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58896,8 +68360,8 @@ The options are:
- 0
+
@@ -58910,6 +68374,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchFirstWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58919,8 +68388,8 @@ The options are:
- 0
+
@@ -58933,6 +68402,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ScheduledInstallFourthWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58942,8 +68416,8 @@ The options are:
- 0
+
@@ -58956,6 +68430,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ScheduledInstallSecondWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58965,8 +68444,8 @@ The options are:
- 0
+
@@ -58979,6 +68458,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ScheduledInstallThirdWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58988,8 +68472,8 @@ The options are:
- 3
+
@@ -59002,6 +68486,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchTime
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -59011,8 +68500,8 @@ The options are:
- 15
+
@@ -59026,6 +68515,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ RestartWarn
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ RestartWarnRemindLastWrite
@@ -59035,8 +68528,8 @@ The options are:
- 4
+
@@ -59050,6 +68543,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ RestartWarnRemind
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ RestartWarnRemindLastWrite
@@ -59059,8 +68556,8 @@ The options are:
- 0
+
@@ -59073,6 +68570,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoRestartNotificationSchd
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartNotificationDisableLastWrite
@@ -59082,8 +68584,8 @@ The options are:
- 0
+
@@ -59096,6 +68598,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ SetEDURestartLastWrite
@@ -59105,8 +68611,8 @@ The options are:
- CorpWSUS
+
@@ -59119,6 +68625,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ CorpWUURL_Name
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURLLastWrite
@@ -59128,8 +68638,8 @@ The options are:
-
+
@@ -59143,10 +68653,821 @@ The options are:
text/plainphone
+ WindowsUpdate.admx
+ CorpWUContentHost_Name
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURLLastWrite
+
+ UserRights
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AccessCredentialManagerAsTrustedCaller
+
+
+
+
+
+ This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Access Credential Manager ase a trusted caller
+ LastWrite
+ 0xF000
+
+
+
+ AccessFromNetwork
+
+
+
+
+
+ This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Access this computer from the network
+ LastWrite
+ 0xF000
+
+
+
+ ActAsPartOfTheOperatingSystem
+
+
+
+
+
+ This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Act as part of the operating system
+ LastWrite
+ 0xF000
+
+
+
+ AllowLocalLogOn
+
+
+
+
+
+ This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Allow log on locally
+ LastWrite
+ 0xF000
+
+
+
+ BackupFilesAndDirectories
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Back up files and directories
+ LastWrite
+ 0xF000
+
+
+
+ ChangeSystemTime
+
+
+
+
+
+ This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Change the system time
+ LastWrite
+ 0xF000
+
+
+
+ CreateGlobalObjects
+
+
+
+
+
+ This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create global objects
+ LastWrite
+ 0xF000
+
+
+
+ CreatePageFile
+
+
+
+
+
+ This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create a pagefile
+ LastWrite
+ 0xF000
+
+
+
+ CreatePermanentSharedObjects
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create permanent shared objects
+ LastWrite
+ 0xF000
+
+
+
+ CreateSymbolicLinks
+
+
+
+
+
+ This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create symbolic links
+ LastWrite
+ 0xF000
+
+
+
+ CreateToken
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create a token object
+ LastWrite
+ 0xF000
+
+
+
+ DebugPrograms
+
+
+
+
+
+ This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Debug programs
+ LastWrite
+ 0xF000
+
+
+
+ DenyAccessFromNetwork
+
+
+
+
+
+ This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Deny access to this computer from the network
+ LastWrite
+ 0xF000
+
+
+
+ DenyLocalLogOn
+
+
+
+
+
+ This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Deny log on as a service
+ LastWrite
+ 0xF000
+
+
+
+ DenyRemoteDesktopServicesLogOn
+
+
+
+
+
+ This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Deny log on through Remote Desktop Services
+ LastWrite
+ 0xF000
+
+
+
+ EnableDelegation
+
+
+
+
+
+ This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Enable computer and user accounts to be trusted for delegation
+ LastWrite
+ 0xF000
+
+
+
+ GenerateSecurityAudits
+
+
+
+
+
+ This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Generate security audits
+ LastWrite
+ 0xF000
+
+
+
+ ImpersonateClient
+
+
+
+
+
+ Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+1) The access token that is being impersonated is for this user.
+2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
+3) The requested level is less than Impersonate, such as Anonymous or Identify.
+Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Impersonate a client after authentication
+ LastWrite
+ 0xF000
+
+
+
+ IncreaseSchedulingPriority
+
+
+
+
+
+ This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Increase scheduling priority
+ LastWrite
+ 0xF000
+
+
+
+ LoadUnloadDeviceDrivers
+
+
+
+
+
+ This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Load and unload device drivers
+ LastWrite
+ 0xF000
+
+
+
+ LockMemory
+
+
+
+
+
+ This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Lock pages in memory
+ LastWrite
+ 0xF000
+
+
+
+ ManageAuditingAndSecurityLog
+
+
+
+
+
+ This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Manage auditing and security log
+ LastWrite
+ 0xF000
+
+
+
+ ManageVolume
+
+
+
+
+
+ This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Perform volume maintenance tasks
+ LastWrite
+ 0xF000
+
+
+
+ ModifyFirmwareEnvironment
+
+
+
+
+
+ This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Modify firmware environment values
+ LastWrite
+ 0xF000
+
+
+
+ ModifyObjectLabel
+
+
+
+
+
+ This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Modify an object label
+ LastWrite
+ 0xF000
+
+
+
+ ProfileSingleProcess
+
+
+
+
+
+ This user right determines which users can use performance monitoring tools to monitor the performance of system processes.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Profile single process
+ LastWrite
+ 0xF000
+
+
+
+ RemoteShutdown
+
+
+
+
+
+ This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Force shutdown from a remote system
+ LastWrite
+ 0xF000
+
+
+
+ RestoreFilesAndDirectories
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Restore files and directories
+ LastWrite
+ 0xF000
+
+
+
+ TakeOwnership
+
+
+
+
+
+ This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Take ownership of files or other objects
+ LastWrite
+ 0xF000
+
+
+ Wifi
@@ -59172,8 +69493,8 @@ The options are:
- 1
+
@@ -59187,6 +69508,9 @@ The options are:
text/plain
+ wlansvc.admx
+ wlansvc~AT~Network~WlanSvc_Category~WlanSettings_Category
+ WiFiSenseLowestValueMostSecure
@@ -59196,8 +69520,8 @@ The options are:
- 1
+
@@ -59211,6 +69535,9 @@ The options are:
text/plain
+ NetworkConnections.admx
+ NetworkConnections~AT~Network~NetworkConnections
+ NC_ShowSharedAccessUILowestValueMostSecure
@@ -59220,8 +69547,8 @@ The options are:
- 1
+
@@ -59244,8 +69571,8 @@ The options are:
- 1
+
@@ -59268,8 +69595,8 @@ The options are:
- 1
+
@@ -59292,8 +69619,8 @@ The options are:
- 0
+
@@ -59306,10 +69633,58 @@ The options are:
text/plain
+ HighestValueMostSecureZeroHasNoLimits
+
+ WindowsConnectionManager
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ WCM.admx
+ WCM~AT~Network~WCM_Category
+ WCM_BlockNonDomain
+ LastWrite
+
+
+ WindowsDefenderSecurityCenter
@@ -59335,8 +69710,8 @@ The options are:
-
+
@@ -59350,6 +69725,38 @@ The options are:
text/plainphone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_CompanyName
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_CompanyName
+ LastWrite
+
+
+
+ DisableAccountProtectionUI
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AccountProtection
+ AccountProtection_UILockdownLastWrite
@@ -59359,8 +69766,8 @@ The options are:
- 0
+
@@ -59373,7 +69780,39 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection
+ AppBrowserProtection_UILockdown
+ LastWrite
+
+
+
+ DisableDeviceSecurityUI
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity
+ DeviceSecurity_UILockdownLastWrite
@@ -59383,8 +69822,8 @@ The options are:
- 0
+
@@ -59397,7 +69836,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications
+ Notifications_DisableEnhancedNotificationsLastWrite
@@ -59407,8 +69850,8 @@ The options are:
- 0
+
@@ -59421,7 +69864,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FamilyOptions
+ FamilyOptions_UILockdownLastWrite
@@ -59431,8 +69878,8 @@ The options are:
- 0
+
@@ -59445,7 +69892,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DevicePerformanceHealth
+ DevicePerformanceHealth_UILockdownLastWrite
@@ -59455,8 +69906,8 @@ The options are:
- 0
+
@@ -59469,7 +69920,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FirewallNetworkProtection
+ FirewallNetworkProtection_UILockdownLastWrite
@@ -59479,8 +69934,8 @@ The options are:
- 0
+
@@ -59493,7 +69948,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications
+ Notifications_DisableNotificationsLastWrite
@@ -59503,8 +69962,8 @@ The options are:
- 0
+
@@ -59517,7 +69976,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection
+ VirusThreatProtection_UILockdownLastWrite
@@ -59527,8 +69990,8 @@ The options are:
- 0
+
@@ -59541,7 +70004,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection
+ AppBrowserProtection_DisallowExploitProtectionOverrideLastWrite
@@ -59551,8 +70018,8 @@ The options are:
-
+
@@ -59566,6 +70033,10 @@ The options are:
text/plainphone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_Email
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_EmailLastWrite
@@ -59575,8 +70046,8 @@ The options are:
- 0
+
@@ -59589,7 +70060,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_EnableCustomizedToastsLastWrite
@@ -59599,8 +70074,8 @@ The options are:
- 0
+
@@ -59613,7 +70088,95 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_EnableInAppCustomization
+ LastWrite
+
+
+
+ HideRansomwareDataRecovery
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection
+ VirusThreatProtection_HideRansomwareRecovery
+ LastWrite
+
+
+
+ HideSecureBoot
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity
+ DeviceSecurity_HideSecureBoot
+ LastWrite
+
+
+
+ HideTPMTroubleshooting
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity
+ DeviceSecurity_HideTPMTroubleshootingLastWrite
@@ -59623,8 +70186,8 @@ The options are:
-
+
@@ -59638,6 +70201,10 @@ The options are:
text/plainphone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_Phone
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_PhoneLastWrite
@@ -59647,8 +70214,8 @@ The options are:
-
+
@@ -59662,6 +70229,10 @@ The options are:
text/plainphone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_URL
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_URLLastWrite
@@ -59691,8 +70262,8 @@ The options are:
- 1
+
@@ -59707,6 +70278,9 @@ The options are:
phone
+ WindowsInkWorkspace.admx
+ WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace
+ AllowSuggestedAppsInWindowsInkWorkspaceLowestValueMostSecure
@@ -59716,8 +70290,8 @@ The options are:
- 2
+
@@ -59730,7 +70304,12 @@ The options are:
text/plain
+ phone
+ WindowsInkWorkspace.admx
+ AllowWindowsInkWorkspaceDropdown
+ WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace
+ AllowWindowsInkWorkspaceLowestValueMostSecure
@@ -59760,8 +70339,8 @@ The options are:
-
+
@@ -59787,8 +70366,8 @@ The options are:
-
+
@@ -59808,14 +70387,41 @@ The options are:
LastWrite
+
+ EnumerateLocalUsersOnDomainJoinedComputers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ logon.admx
+ Logon~AT~System~Logon
+ EnumerateLocalUsers
+ LastWrite
+
+ HideFastUserSwitching
- This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations.0
+ This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations.
@@ -59829,9 +70435,86 @@ The options are:
text/plain
+ Logon.admx
+ Logon~AT~System~Logon
+ HideFastUserSwitchingHighestValueMostSecure
+
+ SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ WinLogon.admx
+ WinLogon~AT~WindowsComponents~Logon
+ AutomaticRestartSignOn
+ LastWrite
+
+
+
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ PowerShellExecutionPolicy.admx
+ PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell
+ EnableScriptBlockLogging
+ LastWrite
+
+ WirelessDisplay
@@ -59858,8 +70541,8 @@ The options are:
- This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.1
+ This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.
@@ -59882,8 +70565,8 @@ The options are:
- This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver.1
+ This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver.
@@ -59906,10 +70589,10 @@ The options are:
+ 1This policy allows you to turn off projection from a PC.
If you set it to 0, your PC cannot discover or project to other devices.
If you set it to 1, your PC can discover and project to other devices.
- 1
@@ -59932,10 +70615,10 @@ The options are:
+ 1This policy allows you to turn off projection from a PC over infrastructure.
If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct.
If you set it to 1, your PC can discover and project to other devices over infrastructure.
- 1
@@ -59958,10 +70641,10 @@ The options are:
+ 1This policy setting allows you to turn off projection to a PC
If you set it to 0, your PC isn't discoverable and can't be projected to
If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too.
- 1
@@ -59976,6 +70659,9 @@ The options are:
phone
+ WirelessDisplay.admx
+ WirelessDisplay~AT~WindowsComponents~Connect
+ AllowProjectionToPCLowestValueMostSecure
@@ -59985,10 +70671,10 @@ The options are:
+ 1This policy setting allows you to turn off projection to a PC over infrastructure.
If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct.
If you set it to 1, your PC can be discoverable and can be projected to over infrastructure.
- 1
@@ -60011,8 +70697,8 @@ The options are:
- 1
+
@@ -60035,10 +70721,10 @@ The options are:
+ 0This policy setting allows you to require a pin for pairing.
If you turn this on, the pairing ceremony for new devices will always require a PIN
If you turn it off or don't configure it, a pin isn't required for pairing.
- 0
@@ -60052,6 +70738,9 @@ The options are:
text/plain
+ WirelessDisplay.admx
+ WirelessDisplay~AT~WindowsComponents~Connect
+ RequirePinForPairingLowestValueMostSecure
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 5f2c4def03..27677b6c69 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -49,16 +49,16 @@ Supported operation is Exec.
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
**AutomaticRedeployment**
-Added in Windows 10, next major update. Node for the Automatic Redeployment operation.
+Added in Windows 10, version 1803. Node for the Automatic Redeployment operation.
**AutomaticRedeployment/doAutomaticRedeployment**
-Added in Windows 10, next major update. Exec on this node triggers Automatic Redeployment operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
+Added in Windows 10, version 1803. Exec on this node triggers Automatic Redeployment operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
**AutomaticRedeployment/LastError**
-Added in Windows 10, next major update. Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT).
+Added in Windows 10, version 1803. Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT).
**AutomaticRedeployment/Status**
-Added in Windows 10, next major update. Status value indicating current state of an Automatic Redeployment operation.
+Added in Windows 10, version 1803. Status value indicating current state of an Automatic Redeployment operation.
Supported values:
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index 7d411543b5..215cc85669 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is the DDF for Windows 10, next major update.
+The XML below is the DDF for Windows 10, version 1803.
``` syntax
diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md
index 0b6de467ab..d2a2fc6fef 100644
--- a/windows/client-management/mdm/uefi-csp.md
+++ b/windows/client-management/mdm/uefi-csp.md
@@ -15,7 +15,7 @@ ms.date: 02/01/2018
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, next major update.
+The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1803.
The following diagram shows the UEFI CSP in tree format.
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index f88849e2b1..16f22e3436 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/11/2017
+ms.date: 03/02/2018
---
# Understanding ADMX-backed policies
@@ -15,23 +15,6 @@ Due to increased simplicity and the ease with which devices can be targeted, ent
Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support will be expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises do not need to compromise security of their devices in the cloud.
-## In this section
-
-- [Background](#background)
-- [ADMX files and the Group Policy Editor](#admx-files-and-the-group-policy-editor)
-- [ADMX-backed policy examples](#admx-backed-policy-examples)
- - [Enabling a policy](#enabling-a-policy)
- - [Disabling a policy](#disabling-a-policy)
- - [Setting a policy to not configured](#setting-a-policy-to-not-configured)
-- [Sample SyncML for various ADMX elements](#sample-syncml-for-various-admx-elements)
- - [Text Element](#text-element)
- - [MultiText Element](#multitext-element)
- - [List Element (and its variations)](#list-element)
- - [No Elements](#no-elements)
- - [Enum](#enum)
- - [Decimal Element](#decimal-element)
- - [Boolean Element](#boolean-element)
-
## Background
In addition to standard policies, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a Window Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](https://technet.microsoft.com/en-us/library/cc753471(v=ws.10).aspx).
@@ -47,6 +30,16 @@ An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policy
Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#admx-backed-policies).
+## Video walkthrough
+
+Here is a video of how to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune.
+
+> [!VIDEO https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121]
+
+Here is a video of how to import a custom ADMX file to a device using Intune.
+
+> [!VIDEO https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73]
+
## ADMX files and the Group Policy Editor
To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX-backed Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named “Publishing Server 2 Settings.” When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**.
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index 01af9b2577..67de432346 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/26/2017
+ms.date: 02/23/2018
---
# Update CSP
@@ -76,7 +76,7 @@ The following diagram shows the Update configuration service provider in tree fo
Supported operation is Get.
**FailedUpdates/*Failed Update Guid*/RevisionNumber**
-
Added in the next major update of Windows 10. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
@@ -91,7 +91,7 @@ The following diagram shows the Update configuration service provider in tree fo
Supported operation is Get.
**InstalledUpdates/*Installed Update Guid*/RevisionNumber**
-
Added in the next major update of Windows 10. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
@@ -135,7 +135,7 @@ The following diagram shows the Update configuration service provider in tree fo
Supported operation is Get.
**PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber**
-
Added in the next major update of Windows 10. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
@@ -149,6 +149,38 @@ The following diagram shows the Update configuration service provider in tree fo
Supported operation is Get.
+**Rollback**
+Added in Windows 10, version 1803. Node for the rollback operations.
+
+**Rollback/QualityUpdate**
+Added in Windows 10, version 1803. Roll back latest Quality Update, if the machine meets the following conditions:
+
+- Condition 1: Device must be Windows Update for Business Connected
+- Condition 2: Device must be in a Paused State
+- Condition 3: Device must have the Latest Quality Update installed on the device (Current State)
+
+If the conditions are not true, the device will not Roll Back the Latest Quality Update.
+
+**Rollback/FeatureUpdate**
+Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machine meets the following conditions:
+
+- Condition 1: Device must be Windows Update for Business Connnected
+- Condition 2: Device must be in Paused State
+- Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
+- Condition 4: Machine should be within the uninstall period
+
+> [!Note]
+> This only works for Semi Annual Channel Targeted devices.
+
+If the conditions are not true, the device will not Roll Back the Latest Feature Update.
+
+
+**Rollback/QualityUpdateStatus**
+Added in Windows 10, version 1803. Returns the result of last RollBack QualityUpdate operation.
+
+**Rollback/FeatureUpdateStatus**
+Added in Windows 10, version 1803. Returns the result of last RollBack FeatureUpdate operation.
+
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md
index 00056f6fc8..b628189e10 100644
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 02/23/2018
---
# Update DDF file
@@ -16,522 +16,643 @@ This topic shows the OMA DM device description framework (DDF) for the **Update*
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1803.
``` syntax
]>
+ "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+ []>
- 1.2
+ 1.2
+
+ Update
+ ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.1/MDM/Update
+
+
- Update
- ./Vendor/MSFT
+ ApprovedUpdates
+
+
+
+
+
+
+ Approve of specific updates to be installed on a device and accept the EULA associated with the update on behalf of the end-user
+
+
+
+
+
+
+
+
+
+ Approved Updates
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+ UpdateID field of the UpdateIdentity is used to display relevant update metadata to IT and approved updates to be installed on the device
+
+
+
+
+
+
+
+
+
+ Approved Update Guid
+
+
+
- ApprovedUpdates
-
-
-
-
-
-
- Approve of specific updates to be installed on a device and accept the EULA associated with the update on behalf of the end-user
-
-
-
-
-
-
-
-
-
- Approved Updates
-
-
-
-
-
-
-
-
-
-
- UpdateID field of the UpdateIdentity is used to display relevant update metadata to IT and approved updates to be installed on the device
-
-
-
-
-
-
-
-
-
- Approved Update Guid
-
-
-
-
-
- ApprovedTime
-
-
-
-
- 0
- The time updates get approved
-
-
-
-
-
-
-
-
-
- The time update get approved
-
- text/plain
-
-
-
-
-
-
- FailedUpdates
-
-
-
-
- Approved updates that failed to install on a device
-
-
-
-
-
-
-
-
-
- Failed Updates
-
-
-
-
-
-
-
-
-
-
- UpdateID field of the UpdateIdentity GUID that represent an update that failed to install
-
-
-
-
-
-
-
-
-
-
-
-
- Failed Update Guid
-
-
-
-
-
- HResult
-
-
-
-
- 0
- Update failure error code
-
-
-
-
-
-
-
-
-
- HResult
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Update failure status
-
-
-
-
-
-
-
-
-
-
-
-
- Failed update status
-
- text/plain
-
-
-
-
- RevisionNumber
-
-
-
-
- The revision number of the update
-
-
-
-
-
-
-
-
-
- Update's revision number
-
- text/plain
-
-
-
-
-
-
- InstalledUpdates
-
-
-
-
- Updates that are installed on the device
-
-
-
-
-
-
-
-
-
- Installed Updates
-
-
-
-
-
-
-
-
-
-
- UpdateIDs that represent the updates installed on a device
-
-
-
-
-
-
-
-
-
- Installed Update Guid
-
-
-
-
-
- RevisionNumber
-
-
-
-
- The revision number of the update
-
-
-
-
-
-
-
-
-
- Update's revision number
-
- text/plain
-
-
-
-
-
-
- InstallableUpdates
-
-
-
-
- Updates that are applicable and not yet installed on the device
-
-
-
-
-
-
-
-
-
- Installable Updates
-
-
-
-
-
-
-
-
-
-
- UpdateIDs that represent the updates applicable and not installed on a device
-
-
-
-
-
-
-
-
-
- Installable Update Guid
-
-
-
-
-
- Type
-
-
-
-
-
- The UpdateClassification value of the update
- Values:
- 0 = None
- 1 = Security
- 2 = Critical
-
-
-
-
-
-
-
-
-
-
- Type of update
-
- text/plain
-
-
-
-
- RevisionNumber
-
-
-
-
- The revision number of the update
-
-
-
-
-
-
-
-
-
- Update's revision number
-
- text/plain
-
-
-
-
-
-
- PendingRebootUpdates
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Devices in the pending reboot state
-
-
-
-
-
-
-
-
-
-
-
-
- Pending Reboot Update Guid
-
-
-
-
-
- InstalledTime
-
-
-
-
- The time the update installed.
-
-
-
-
-
-
-
-
-
- InstalledTime
-
- text/plain
-
-
-
-
- RevisionNumber
-
-
-
-
- The revision number of the update
-
-
-
-
-
-
-
-
-
- Update's revision number
-
- text/plain
-
-
-
-
-
-
- LastSuccessfulScanTime
-
-
-
-
- 0
- Last success scan time.
-
-
-
-
-
-
-
-
-
-
-
-
- LastSuccessfulScanTime
-
- text/plain
-
-
-
-
- DeferUpgrade
-
-
-
-
- 0
- Defer upgrades till the next upgrade period (at least a few months).
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ ApprovedTime
+
+
+
+
+ 0
+ The time updates get approved
+
+
+
+
+
+
+
+
+
+ The time update get approved
+
+ text/plain
+
+
+
+
+ FailedUpdates
+
+
+
+
+ Approved updates that failed to install on a device
+
+
+
+
+
+
+
+
+
+ Failed Updates
+
+
+
+
+
+
+
+
+
+
+ UpdateID field of the UpdateIdentity GUID that represent an update that failed to install
+
+
+
+
+
+
+
+
+
+
+
+
+ Failed Update Guid
+
+
+
+
+
+ HResult
+
+
+
+
+ 0
+ Update failure error code
+
+
+
+
+
+
+
+
+
+ HResult
+
+ text/plain
+
+
+
+
+ Status
+
+
+
+
+ Update failure status
+
+
+
+
+
+
+
+
+
+
+
+
+ Failed update status
+
+ text/plain
+
+
+
+
+ RevisionNumber
+
+
+
+
+ The revision number of the update
+
+
+
+
+
+
+
+
+
+ Update's revision number
+
+ text/plain
+
+
+
+
+
+
+ InstalledUpdates
+
+
+
+
+ Updates that are installed on the device
+
+
+
+
+
+
+
+
+
+ Installed Updates
+
+
+
+
+
+
+
+
+
+
+ UpdateIDs that represent the updates installed on a device
+
+
+
+
+
+
+
+
+
+ Installed Update Guid
+
+
+
+
+
+ RevisionNumber
+
+
+
+
+ The revision number of the update
+
+
+
+
+
+
+
+
+
+ Update's revision number
+
+ text/plain
+
+
+
+
+
+
+ InstallableUpdates
+
+
+
+
+ Updates that are applicable and not yet installed on the device
+
+
+
+
+
+
+
+
+
+ Installable Updates
+
+
+
+
+
+
+
+
+
+
+ UpdateIDs that represent the updates applicable and not installed on a device
+
+
+
+
+
+
+
+
+
+ Installable Update Guid
+
+
+
+
+
+ Type
+
+
+
+
+
+ The UpdateClassification value of the update
+ Values:
+ 0 = None
+ 1 = Security
+ 2 = Critical
+
+
+
+
+
+
+
+
+
+
+ Type of update
+
+ text/plain
+
+
+
+
+ RevisionNumber
+
+
+
+
+ The revision number of the update
+
+
+
+
+
+
+
+
+
+ Update's revision number
+
+ text/plain
+
+
+
+
+
+
+ PendingRebootUpdates
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Devices in the pending reboot state
+
+
+
+
+
+
+
+
+
+
+
+
+ Pending Reboot Update Guid
+
+
+
+
+
+ InstalledTime
+
+
+
+
+ The time the update installed.
+
+
+
+
+
+
+
+
+
+ InstalledTime
+
+ text/plain
+
+
+
+
+ RevisionNumber
+
+
+
+
+ The revision number of the update
+
+
+
+
+
+
+
+
+
+ Update's revision number
+
+ text/plain
+
+
+
+
+
+
+ LastSuccessfulScanTime
+
+
+
+
+ 0
+ Last success scan time.
+
+
+
+
+
+
+
+
+
+
+
+
+ LastSuccessfulScanTime
+
+ text/plain
+
+
+
+
+ DeferUpgrade
+
+
+
+
+ 0
+ Defer upgrades till the next upgrade period (at least a few months).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Rollback
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ QualityUpdate
+
+
+
+
+
+ Roll back Latest Quality Update, if the machine meets the following conditions:
+ Condition 1: Device must be WUfB Connected
+ Condition 2: Device must be in a Paused State
+ Condition 3: Device must have the Latest Quality Update installed on the device (Current State)
+ If the conditions are not true, the device will not Roll Back the Latest Quality Update.
+
+
+
+
+
+
+
+
+
+
+ QualityUpdate
+
+ text/plain
+
+
+
+
+ FeatureUpdate
+
+
+
+
+
+ Roll Back Latest Feature Update, if the machine meets the following conditions:
+ Condition 1: Device must be WUfB Connnected
+ Condition 2: Device must be in Paused State
+ Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
+ Condition 4: Machine should be within the uninstall period
+ If the conditions are not true, the device will not Roll Back the Latest Feature Update.
+
+
+
+
+
+
+
+
+
+
+ FeatureUpdate
+
+ text/plain
+
+
+
+
+ QualityUpdateStatus
+
+
+
+
+ Returns the result of last RollBack QualityUpdate opearation.
+
+
+
+
+
+
+
+
+
+ QualityUpdateStatus
+
+ text/plain
+
+
+
+
+ FeatureUpdateStatus
+
+
+
+
+ Returns the result of last RollBack FeatureUpdate opearation.
+
+
+
+
+
+
+
+
+
+ FeatureUpdateStatus
+
+ text/plain
+
+
+
+
+
```
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md
index d6c2534f87..819b8ca97a 100644
--- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.localizationpriority: high
author: eross-msft
ms.author: lizross
-ms.date: 04/05/2017
+ms.date: 03/13/2018
---
@@ -832,13 +832,17 @@ This event represents the basic metadata about a file on the system. The file m
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **AvDisplayName** The version of the Appraiser file generating the events.
+- **AvProductState** If the app is an anti-virus app, this is its display name.
+- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
-- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
- **CompanyName** The company name of the vendor who developed this file.
- **FileId** A hash that uniquely identifies a file.
- **FileVersion** The File version field from the file metadata under Properties -> Details.
+- **HasUpgradeExe** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
+- **IsAv** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
- **LinkDate** The date and time that this file was linked on.
- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
- **Name** The name of the file that was inventoried.
@@ -847,6 +851,24 @@ The following fields are available:
- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it.
- **Size** The size of the file (in hexadecimal bytes).
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
+
+This event represents the drivers that an application installs.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component
+- **Programids** The unique program identifier the driver is associated with.
+
+
+## Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
+
+This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component.
+
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
@@ -1628,15 +1650,19 @@ This event sends data about the processor (architecture, speed, number of cores,
The following fields are available:
-- **ProcessorCores** Retrieves the number of cores in the processor.
-- **ProcessorPhysicalCores** Number of physical cores in the processor.
+- **KvaShadow** Microcode info of the processor.
+- **MMSettingOverride** Microcode setting of the processor.
+- **MMSettingOverrideMask** Microcode setting override of the processor.
- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture.
- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz.
+- **ProcessorCores** Retrieves the number of cores in the processor.
+- **ProcessorIdentifier** The processor identifier of a manufacturer.
- **ProcessorManufacturer** Retrieves the name of the processor's manufacturer.
- **ProcessorModel** Retrieves the name of the processor model.
-- **SocketCount** Number of physical CPU sockets of the machine.
-- **ProcessorIdentifier** The processor identifier of a manufacturer.
+- **ProcessorPhysicalCores** Number of physical cores in the processor.
- **ProcessorUpdateRevision** The microcode version.
+- **SocketCount** Number of physical CPU sockets of the machine.
+- **SpeculationControl** Clock speed of the processor in MHz.
### Census.Speech
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
index eac9fde18a..dad1cbe857 100644
--- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
@@ -9,7 +9,7 @@ ms.pagetype: security
localizationpriority: high
author: eross-msft
ms.author: lizross
-ms.date: 02/12/2018
+ms.date: 03/13/2018
---
@@ -30,9 +30,9 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
-- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
+- [Windows 10, version 1703 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
+- [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
@@ -317,6 +317,8 @@ This event represents the basic metadata about a file on the system. The file m
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **AvDisplayName** The version of the Appraiser file generating the events.
+- **AvProductState** If the app is an anti-virus app, this is its display name.
- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
@@ -324,6 +326,8 @@ The following fields are available:
- **CompanyName** The company name of the vendor who developed this file.
- **FileId** A hash that uniquely identifies a file.
- **FileVersion** The File version field from the file metadata under Properties -> Details.
+- **HasUpgradeExe** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
+- **IsAv** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
- **LinkDate** The date and time that this file was linked on.
- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
- **Name** The name of the file that was inventoried.
@@ -332,6 +336,23 @@ The following fields are available:
- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it.
- **Size** The size of the file (in hexadecimal bytes).
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
+
+This event represents the drivers that an application installs.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component
+- **Programids** The unique program identifier the driver is associated with.
+
+
+## Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
+
+This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component.
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
@@ -1593,6 +1614,9 @@ This event sends data about the processor (architecture, speed, number of cores,
The following fields are available:
+- **KvaShadow** Microcode info of the processor.
+- **MMSettingOverride** Microcode setting of the processor.
+- **MMSettingOverrideMask** Microcode setting override of the processor.
- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture.
- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz.
- **ProcessorCores** Retrieves the number of cores in the processor.
@@ -1602,6 +1626,7 @@ The following fields are available:
- **ProcessorPhysicalCores** Number of physical cores in the processor.
- **ProcessorUpdateRevision** The microcode version.
- **SocketCount** Number of physical CPU sockets of the machine.
+- **SpeculationControl** Clock speed of the processor in MHz.
### Census.Security
@@ -2354,7 +2379,7 @@ The following fields are available:
- **enumerator** The bus that enumerated the device
- **HWID** A JSON array that provides the value and order of the HWID tree for the device.
- **Inf** The INF file name.
-- **installState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **installState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
- **InventoryVersion** The version of the inventory file generating the events.
- **lowerClassFilters** Lower filter class drivers IDs installed for the device.
- **lowerFilters** Lower filter drivers IDs installed for the device
@@ -2506,21 +2531,21 @@ There are no fields in this event.
This event provides data on the installed Office-related Internet Explorer features.
-- **OIeFeatureAddon** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeMachineLockdown** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeMimeHandling** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeMimeSniffing** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeNoAxInstall** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeNoDownload** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeObjectCaching** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIePasswordDisable** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeSafeBind** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeSecurityBand** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeUncSaveCheck** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeValidateUrl** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeWebOcPopup** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeWinRestrict** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeZoneElevate** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeFeatureAddon** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeMachineLockdown** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeMimeHandling** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeMimeSniffing** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeNoAxInstall** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeNoDownload** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeObjectCaching** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIePasswordDisable** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeSafeBind** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeSecurityBand** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeUncSaveCheck** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeValidateUrl** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeWebOcPopup** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeWinRestrict** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeZoneElevate** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 144f6425e6..02dee783c1 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -8,18 +8,24 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jdeckerms
-ms.date: 02/12/2018
+ms.date: 03/13/2018
---
# Change history for Configure Windows 10
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## March 2018
+
+New or changed topic | Description
+--- | ---
+[Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Added events and fields that were added in the March update.
+
## February 2018
New or changed topic | Description
--- | ---
-[Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) | Added events and fields that were added in the February update.
+[Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Added events and fields that were added in the February update.
[Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Added steps for configuring a kiosk in Microsoft Intune.
[Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Updated the instructions for applying a customized Start layout using Microsoft Intune.
diff --git a/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
index 6a85eb7c57..9529995ecb 100644
--- a/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
@@ -278,7 +278,7 @@ Windows Analytics Device Health reports are powered by diagnostic data not inclu
In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic.
-- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/eventname) topic.
+- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic.
- **Some crash dump types.** All crash dump types, except for heap and full dumps.
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index e5720e332c..abe019f76c 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -37,6 +37,9 @@
"ms.topic": "article",
"ms.author": "jdecker",
"ms.date": "04/05/2017",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-configuration"
diff --git a/windows/configuration/manage-windows-endpoints-version-1709.md b/windows/configuration/manage-windows-endpoints-version-1709.md
index 1c52da910b..1ce981a341 100644
--- a/windows/configuration/manage-windows-endpoints-version-1709.md
+++ b/windows/configuration/manage-windows-endpoints-version-1709.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
author: brianlic-msft
-ms.author: brianlic-msft
+ms.author: brianlic
ms.date: 11/21/2017
---
# Manage Windows 10 connection endpoints
@@ -318,7 +318,6 @@ If you turn off traffic for these endpoints, users won't be able to save documen
| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-ently used documents.
| Source process | Protocol | Destination |
|----------------|----------|------------|
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index d933b0bc8f..4c5d461287 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -73,7 +73,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
-### Add a universal app to your package
+## Add a universal app to your package
Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Microsoft Store for Business apps that you acquire with [offline licensing](/microsoft-store/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Microsoft Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
@@ -108,7 +108,7 @@ Universal apps that you can distribute in the provisioning package can be line-o
-### Add a certificate to your package
+## Add a certificate to your package
1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**.
@@ -123,11 +123,11 @@ Universal apps that you can distribute in the provisioning package can be line-o
5. For **KeyLocation**, select **Software only**.
-### Add other settings to your package
+## Add other settings to your package
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
-### Build your package
+## Build your package
1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md
index ef86f5916c..5ec8571305 100644
--- a/windows/configuration/ue-v/uev-getting-started.md
+++ b/windows/configuration/ue-v/uev-getting-started.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 03/08/2018
---
# Get Started with UE-V
@@ -25,7 +25,7 @@ The standard installation of UE-V synchronizes the default Microsoft Windows and
- [Step 2: Deploy the settings storage location](#step-2-deploy-the-settings-storage-location). Explains how to deploy a settings storage location. All UE-V deployments require a location to store settings packages that contain the synchronized setting values.
-- [Step 3: Enable the UE-V service](#step-3-enable-the-ue-v-service-on-user-devices). Explains how to enable to UE-V service on user devices. To synchronize settings using UE-V, devices must have the UE-V service enabled and running.
+- [Step 3: Enable and configure the UE-V service](#step-3-enable-the-ue-v-service-on-user-devices). Explains how to enable to UE-V service on user devices and configure the storage path. To synchronize settings using UE-V, devices must have the UE-V service enabled and running.
- [Step 4: Test Your UE-V evaluation deployment](#step-4-test-your-ue-v-evaluation-deployment). Run a few tests on two computers with the UE-V service enabled to see how UE-V works and if it meets your organization’s needs.
@@ -73,13 +73,34 @@ You’ll need to deploy a settings storage location, a standard network share wh
2. Set the registry key value to *1*.
-## Step 3: Enable the UE-V service on user devices
+## Step 3: Enable and configure the UE-V service on user devices
For evaluation purposes, enable the service on at least two devices that belong to the same user in your test environment.
The UE-V service is the client-side component that captures user-personalized application and Windows settings and saves them in settings packages. Settings packages are built, locally stored, and copied to the settings storage location.
-Before enabling the UE-V service, you'll need to register the UE-V templates for first use. In a PowerShell window, type `register-TemplateName` where **TemplateName** is the name of the UE-V template you want to register, and press ENTER.
+Before enabling the UE-V service, you'll need to register the UE-V templates for first use. In a PowerShell window, type `Register-UevTemplate [TemplateName]` where **TemplateName** is the name of the UE-V template you want to register, and press ENTER. For instance, to register all built-in UE-V templates, use the following PowerShell Command:
+'Get-childItem c:\programdata\Microsoft\UEV\InboxTemplates\*.xml|% {Register-UevTemplate $_.Fullname}'
+
+A storage path must be configured on the client-side to tell where the personalized settings are stored.
+
+**To set the storage path for UE-V with Group Policy**
+
+1. Open the device’s **Group Policy Editor**.
+
+2. Navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft** **User Experience Virtualization**.
+
+3. Double click **Settings storage path**.
+
+4. Select **Enabled**, fill in the **Settings storage path**, and click **OK**.
+
+ - Ensure that the storage path ends with **%username%** to ensure that eah user gets a unique folder.
+
+**To set the storage path for UE-V with PowerShell**
+
+1. In a PowerShell window, type **Set-uevConfiguration -SettingsStoragePath [StoragePath]** where **[StoragePath]** is the path to the location created in step 2 followed by **\%username%**.
+
+ - Ensure that the storage path ends with **%username%** to ensure that eah user gets a unique folder.
With Windows 10, version 1607 and later, the UE-V service is installed on user devices when the operating system is installed. Enable the service to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell.
@@ -89,9 +110,11 @@ With Windows 10, version 1607 and later, the UE-V service is installed on user d
2. Navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft** **User Experience Virtualization**.
-3. Run **Enable UEV**.
+3. Double click **Use Users Experience Virtualization (UE-V)**.
-4. Restart the device.
+4. Select **Enabled** and click **OK**.
+
+5. Restart the device.
**To enable the UE-V service with Windows PowerShell**
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index 5be53d2953..2df8e81ee7 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -42,7 +42,7 @@ Specifies the settings you can configure when joining a device to a domain, incl
| --- | --- | --- |
| Account | string | Account to use to join computer to domain |
| AccountOU | string | Name of organizational unit for the computer account |
-| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer less than 15 digits long, or using %SERIALNUMBER% characters in the name.ComputerName is a string with a maximum length of 15 bytes of content:- ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.- ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.- ComputerName cannot use some non-standard characters, such as emoji.Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](http://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) |
+| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer less than 15 digits long, or using %SERIAL% characters in the name.ComputerName is a string with a maximum length of 15 bytes of content:- ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.- ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.- ComputerName cannot use some non-standard characters, such as emoji.Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](http://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) |
| DomainName | string (cannot be empty) | Specify the name of the domain that the device will join |
| Password | string (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. |
@@ -55,4 +55,4 @@ Use these settings to add local user accounts to the device.
| UserName | string (cannot be empty) | Specify a name for the local user account |
| HomeDir | string (cannot be ampty) | Specify the path of the home directory for the user |
| Password | string (cannot be empty) | Specify the password for the user account |
-| UserGroup | string (cannot be empty) | Specify the local user group for the user |
\ No newline at end of file
+| UserGroup | string (cannot be empty) | Specify the local user group for the user |
diff --git a/windows/configuration/windows-diagnostic-data.md b/windows/configuration/windows-diagnostic-data.md
index e3c5fb9fa4..20b60ae7b9 100644
--- a/windows/configuration/windows-diagnostic-data.md
+++ b/windows/configuration/windows-diagnostic-data.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.localizationpriority: high
author: brianlic-msft
ms.author: brianlic
-ms.date: 01/30/2018
+ms.date: 03/13/2018
---
# Windows 10, version 1709 diagnostic data for the Full level
@@ -16,7 +16,7 @@ ms.date: 01/30/2018
Applies to:
- Windows 10, version 1709
-Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md).
+Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
@@ -129,7 +129,7 @@ This type of data includes details about the health of the device, operating sys
**For Diagnostics:**
[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
-- Data about the reliability of content that appears in the [Windows Spotlight](https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
+- Data about the reliability of content that appears in the [Windows Spotlight](https://docs.microsoft.com/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
- Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening peformance.
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index c2d63ceca8..b110f3c3c8 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -1,4 +1,4 @@
-# [Deploy and update Windows 10](index.md)
+# [Deploy and update Windows 10](https://docs.microsoft.com/en-us/windows/deployment)
## [What's new in Windows 10 deployment](deploy-whats-new.md)
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
@@ -224,11 +224,12 @@
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)
### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
+#### [Introduction to the Windows Insider Program for Business](update/WIP4Biz-intro.md)
#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md)
### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
-## Windows Analytics
+## [Windows Analytics](update/windows-analytics-overview.md)
### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md
index bd0da028fe..5f48b4eb49 100644
--- a/windows/deployment/change-history-for-deploy-windows-10.md
+++ b/windows/deployment/change-history-for-deploy-windows-10.md
@@ -10,7 +10,7 @@ ms.date: 11/08/2017
---
# Change history for Deploy Windows 10
-This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
+This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/en-us/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
## November 2017
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 53297d9119..40c3fdf557 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -442,7 +442,7 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which
3. Click **Edit Bootstrap.ini** and modify using the following information:
``` syntax
- Settings]
+ [Settings]
Priority=Default
[Default]
DeployRoot=\\MDT01\MDTBuildLab$
diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json
index 0c1117e840..e722db5465 100644
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@@ -3,7 +3,8 @@
"content": [
{
"files": [
- "**/*.md"
+ "**/*.md",
+ "**/*.yml"
],
"exclude": [
"**/obj/**",
@@ -37,6 +38,9 @@
"ms.topic": "article",
"ms.author": "greglin",
"ms.date": "04/05/2017",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-development"
diff --git a/windows/deployment/index.md b/windows/deployment/index.md
deleted file mode 100644
index f63641d04f..0000000000
--- a/windows/deployment/index.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Deploy and update Windows 10 (Windows 10)
-description: Deploying and updating Windows 10 for IT professionals.
-ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: high
-ms.date: 12/13/2017
-author: greg-lindsay
----
-
-# Deploy and update Windows 10
-
-Learn about deployment in Windows 10 for IT professionals. This includes deploying the operating system, upgrading to it from previous versions and updating Windows 10. The following sections and topics are available.
-
-|Topic |Description |
-|------|------------|
-|[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
-|[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
-|[Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) |Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). |
-|[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
-
-
-## Deploy Windows 10
-
-Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment.
-
-|Topic |Description |
-|------|------------|
-|[Overview of Windows AutoPilot](windows-autopilot/windows-10-autopilot.md) |Windows AutoPilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices. |
-|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
-|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
-|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about media available in the Microsoft Volume Licensing Service Center. |
-|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
-|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
-|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
-|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
-|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
-|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
-
-## Update Windows 10
-
-Information is provided about keeping Windows 10 up-to-date.
-
-|Topic |Description |
-|------|------------|
-| [Quick guide to Windows as a service](update/waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. |
-| [Overview of Windows as a service](update/waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
-| [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. |
-| [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. |
-| [Assign devices to servicing branches for Windows 10 updates](update/waas-servicing-branches-windows-10-updates.md) | Explains how to assign devices to Current Branch (CB) or Current Branch for Business (CBB) for feature and quality updates, and how to enroll devices in Windows Insider. |
-| [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) | Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization. |
-| [Optimize update delivery for Windows 10 updates](update/waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
-| [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. |
-| [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
-| [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](update/waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
-| [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
-| [Manage device restarts after updates](update/waas-restart.md) | Explains how to manage update related device restarts. |
-| [Manage additional Windows Update settings](update/waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
-| [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
-
-## Additional topics
-
-|Topic |Description |
-|------|------------|
-|[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
new file mode 100644
index 0000000000..04a15dea0b
--- /dev/null
+++ b/windows/deployment/index.yml
@@ -0,0 +1,104 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Deploy and update Windows 10
+metadata:
+ document_id:
+ title: Deploy and update Windows 10
+ description: Deploying and updating Windows 10 for IT professionals.
+ keywords: deploy, update, Windows, service, Microsoft365, e5, e3
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: elizapo
+ ms.date: 02/09/2018
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: Learn about deployment of Windows 10 for IT professionals. This includes deploying the operating system, upgrading to it from previous versions and updating Windows 10.
+- items:
+ - type: list
+ style: cards
+ className: cardsM
+ columns: 3
+ items:
+ - href: windows-10-deployment-scenarios
+ html:
Understand the different ways that Windows 10 can be deployed
+ image:
+ src: https://docs.microsoft.com/media/common/i_upgrade.svg
+ title: Windows as a service
+ - href: update/windows-analytics-overview
+ html:
Windows Analytics provides deep insights into your Windows 10 environment.
To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.
Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
+
[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
+
+ "
+- title: Deploy Windows 10
+- items:
+ - type: markdown
+ text: "
+ Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment.
+
+
Topic
Description
+
[Overview of Windows AutoPilot](windows-autopilot/windows-10-autopilot.md)
Windows AutoPilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices.
This topic provides information about media available in the Microsoft Volume Licensing Service Center.
+
[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
+
[Windows 10 deployment test lab](windows-10-poc.md)
This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md).
+
[Plan for Windows 10 deployment](planning/index.md)
This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning.
+
[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
+
[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or.
Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more.
+
+ "
+- title: Update Windows 10
+- items:
+ - type: markdown
+ text: "
+ Information is provided about keeping Windows 10 up-to-date.
+
+
Topic
Description
+
[Quick guide to Windows as a service](update/waas-quick-start.md)
Provides a brief summary of the key points for the new servicing model for Windows 10.
+
[Overview of Windows as a service](update/waas-overview.md)
Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools.
+
[Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
Explains the decisions you need to make in your servicing strategy.
+
[Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates.
+
[Assign devices to servicing branches for Windows 10 updates](update/waas-servicing-branches-windows-10-updates.md)
Explains how to assign devices to Current Branch (CB) or Current Branch for Business (CBB) for feature and quality updates, and how to enroll devices in Windows Insider.
+
[Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization.
+
[Optimize update delivery for Windows 10 updates](update/waas-optimize-windows-10-updates.md)
Explains the benefits of using Delivery Optimization or BranchCache for update distribution.
+
[Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md)
Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile.
+
[Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md)
Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune.
+
[Deploy Windows 10 updates using Windows Server Update Services (WSUS)](update/waas-manage-updates-wsus.md)
Explains how to use WSUS to manage Windows 10 updates.
+
[Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
Explains how to use Configuration Manager to manage Windows 10 updates.
+
[Manage device restarts after updates](update/waas-restart.md)
Explains how to manage update related device restarts.
+
[Manage additional Windows Update settings](update/waas-wu-settings.md)
Provides details about settings available to control and configure Windows Update.
+
[Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
Explains how the Windows Insider Program for Business works and how to become an insider.
[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile.
+
+ "
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
new file mode 100644
index 0000000000..08b8659f6e
--- /dev/null
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -0,0 +1,70 @@
+---
+title: Introduction to the Windows Insider Program for Business
+description: Introduction to the Windows Insider Program for Business and why IT Pros should join it
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: high
+ms.author: jaimeo
+ms.date: 03/01/2018
+---
+
+# Introduction to the Windows Insider Program for Business
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available.
+
+The Windows Insider Program for Business gives you the opportunity to:
+
+* Get early access to Windows Insider Preview Builds.
+* Provide feedback to Microsoft in real time by using the Feedback Hub app.
+* Sign in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs.
+* Register your Azure Active Directory domain in the program, allowing you to cover all users within your organization with just one registration.
+* Starting with Windows 10, version 1709, enable, disable, defer, and pause the installation of preview builds through policies.
+* Track feedback provided through the Feedback Hub App across your organization.
+
+Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App.
+
+The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
+
+
+[](images/WIP4Biz_deployment.png)
+Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments.
+
+
+## Explore new Windows 10 features in Insider Previews
+Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration:
+
+|Objective |Feature exploration|
+|---------|---------|
+|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.|
+|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. |
+|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices) - Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications - Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. |
+|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible. - Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.) - [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/) |
+
+## Validate Insider Preview builds
+Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/en-us/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits:
+
+- Get a head start on your Windows validation process
+- Identify issues sooner to accelerate your Windows deployment
+- Engage Microsoft earlier for help with potential compatibility issues
+- Deploy Windows 10 Semi-Annual releases faster and more confidently
+- Maximize the 18-month support Window that comes with each Semi-Annual release.
+
+
+
+|Objective |Feature exploration|
+|---------|---------|
+|Release channel |**Slow Ring:** Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production devices by skilled users.|
+|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.|
+|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. |
+|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. |
+|Guidance | Application and infrastructure validation: - [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps) - [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-monitor) - [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)|
+
diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md
index 6df6256b76..e76b08389c 100644
--- a/windows/deployment/update/change-history-for-update-windows-10.md
+++ b/windows/deployment/update/change-history-for-update-windows-10.md
@@ -11,7 +11,7 @@ ms.date: 10/17/2017
# Change history for Update Windows 10
-This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](https://docs.microsoft.com/en-us/windows/deployment).
>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
diff --git a/windows/deployment/update/images/WIP4Biz_Deployment.png b/windows/deployment/update/images/WIP4Biz_Deployment.png
new file mode 100644
index 0000000000..bf267aa9eb
Binary files /dev/null and b/windows/deployment/update/images/WIP4Biz_Deployment.png differ
diff --git a/windows/deployment/update/images/WIP4Biz_Prompts.png b/windows/deployment/update/images/WIP4Biz_Prompts.png
new file mode 100644
index 0000000000..37acadde3a
Binary files /dev/null and b/windows/deployment/update/images/WIP4Biz_Prompts.png differ
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index 7fc29c58f5..dea0940ed3 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -5,49 +5,50 @@ ms.author: nibr
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: nickbrower
-ms.date: 10/10/2017
+author: jaimeo
+ms.date: 03/02/2018
---
# Olympia Corp
## What is Windows Insider Lab for Enterprise and Olympia Corp?
-Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features*. To get the complete experience of these Enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features.
+Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features. To get the complete experience of these Enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features.
As an Olympia user, you will have an opportunity to:
-- Use various Enterprise features like WIP (Windows Information Protection), ATP (Advanced Threat Protection), WDAG (Windows Defender Application Guard), and APP-V (Application virtualization).
+- Use various Enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V).
- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness.
- Validate and test pre-release software in your environment.
- Provide feedback.
- Interact with engineering team members through a variety of communication channels.
-\* Enterprise features may have reduced, or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the Enterprise features at any time without notice.
+>[!Note]
+>Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the Enterprise features at any time without notice.
-For more information about Olympia Corp, please see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ).
+For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ).
-To request an Olympia Corp account, please fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia).
+To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia).
## Enrollment guidelines
-Welcome to Olympia Corp. Here are the steps needed to Enroll.
+Welcome to Olympia Corp. Here are the steps needed to enroll.
As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade.
Choose one of the following two enrollment options:
-1. [Keep your current Windows 10 edition](#enrollment-keep-current-edition)
+- To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account.
-2. [Upgrade your Windows 10 edition from Pro to Enterprise](#enrollment-upgrade-to-enterprise)
+- If you are running Windows 10 Pro, we recommend that you upgrade to Windows 10 Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account.
-### Set up an Azure Active Directory REGISTERED Windows 10 device
+### Set up an Azure Active Directory-REGISTERED Windows 10 device
-- This is the Bring Your Own Device (BYOD) method - your device will receive Olympia policies and features, but a new account will not be created ([additional info]).(https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-registered-devices-windows10-setup)
+This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information.
-1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
@@ -66,7 +67,7 @@ Choose one of the following two enrollment options:
5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
-6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details.
+6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details.
7. Create a PIN for signing into your Olympia corporate account.
@@ -79,11 +80,11 @@ Choose one of the following two enrollment options:
-### Set up Azure Active Directory JOINED Windows 10 device
+### Set up Azure Active Directory-JOINED Windows 10 device
-- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account ([additional info]).(https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-joined-devices-setup)
+- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information.
-1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
@@ -106,15 +107,15 @@ Choose one of the following two enrollment options:
6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
-7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details.
+7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details.
8. Create a PIN for signing into your Olympia corporate account.
9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
-10. Restart your PC.
+10. Restart your device.
-11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*.
+11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows 10 Enterprise.
12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
@@ -123,5 +124,6 @@ Choose one of the following two enrollment options:
13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
-\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia.
+>[!NOTE]
+> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia.
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index e26cc352fc..88a40b5473 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -25,7 +25,7 @@ ms.date: 10/13/2017
>
>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
-Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines.
+Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices.
Specifically, Windows Update for Business allows for:
@@ -33,6 +33,7 @@ Specifically, Windows Update for Business allows for:
- Selectively including or excluding drivers as part of Microsoft-provided updates
- Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune.
- Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.
+- Control over diagnostic data level to provide reporting and insights in Windows Analytics.
Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education.
diff --git a/windows/deployment/update/waas-windows-insider-for-business.md b/windows/deployment/update/waas-windows-insider-for-business.md
index b105a54d56..52a170184a 100644
--- a/windows/deployment/update/waas-windows-insider-for-business.md
+++ b/windows/deployment/update/waas-windows-insider-for-business.md
@@ -4,10 +4,10 @@ description: Overview of the Windows Insider Program for Business
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: DaniHalfin
+author: jaimeo
ms.localizationpriority: high
-ms.author: daniha
-ms.date: 10/27/2017
+ms.author: jaimeo
+ms.date: 02/27/2018
---
# Windows Insider Program for Business
@@ -19,67 +19,76 @@ ms.date: 10/27/2017
> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-For many IT pros, gaining visibility into feature updates early, before they’re available to the Semi-Annual Channel, can be both intriguing and valuable for future end user communications as well as provide additional prestaging for Semi-Annual Channel devices. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test devices, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to the Semi-Annual Channel, organizations can test their deployment on test devices for compatibility validation.
-The Windows Insider Program for Business gives you the opportunity to:
-* Get early access to Windows Insider Preview Builds.
-* Provide feedback to Microsoft in real-time via the Feedback Hub app.
-* Sign-in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs.
-* Register your Azure AD domain into the program, to cover all users within your organization with just one registration.
-* Starting with Windows 10, version 1709, enable, disable, defer and pause the installation of preview builds through policies.
-* Track feedback provided through the Feedback Hub App, across your organization.
-
-Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App.
-
-The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
## Getting started with Windows Insider Program for Business
-To get started with the Windows Insider Program for Business, you can follow a few simple steps:
+To get started with the Windows Insider Program for Business, follow these steps:
-1. [Register your organizational Azure AD account](#individual-registration) to the Windows Insider Program for Business.
+1. [Register your organization's Azure AD account](#individual-registration) to the Windows Insider Program for Business.
2. [Register your organization's Azure AD domain](#organizational-registration) to the Windows Insider Program for Business.**Note:** Registering user has to be a Global Administrator in the Azure AD domain.
3. [Set policies](#manage-windows-insider-preview-builds) to enable Windows Insider Preview builds and select flight rings.
>[!IMPORTANT]
->The **Allow Telemetry** setting has to be set to 2 or higher, to receive Windows Insider preview builds.
+>To receive Windows Insider Preview builds, set the **Allow Telemetry** setting in Group Policy to 2 or higher.
>
->The setting is available in **Group Policy**, through **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds - Allow Telemetry** or in **MDM**, through [**System/AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry).
+>In **Group Policy**, this setting is in **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds - Allow Telemetry**. In **MDM**, the setting is in [**System/AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry).
-Below are additional details to accomplish the steps described above.
-## Register to the Windows Insider Program for Business
+## Register in the Windows Insider Program for Business
-Registration in the Windows Insider Program for Business can be done individually per user or for an entire organization:
+The first step to installing a Windows 10 Insider Preview build is to register as a Windows Insider. You and your users have two registration options.
-### Individual registration
-
->[!IMPORTANT]
->This step is a prerequisite to register your organization's Azure AD domain.
-
-Navigate to the [**Getting Started**](https://insider.windows.com/en-us/getting-started/) page on [Windows Insider](https://insider.windows.com), go to **Register your organization account** and follow the instructions.
+### Register using your work account (recommended)
+Registering with your work account in Azure Active Directory (AAD) is required to submit feedback on behalf of your organization and manage Insider Preview builds on other devices in your domain.
>[!NOTE]
->Make sure your device is [connected to your company's Azure AD subscription](waas-windows-insider-for-business-faq.md#connected-to-aad).
+>Requires Windows 10 Version 1703 or later. Confirm by going to Settings>System>About. If you do not have an AAD account, [find out how to get an Azure Active Directory tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant).
-### Organizational registration
+### Register your personal account
+Use the same account that you use for other Microsoft services. If you don’t have a Microsoft account, it is easy to get one. [Get a Microsoft account](https://account.microsoft.com/account).
-This method enables to your register your entire organization to the Windows Insider Program for Business, to avoid having to register each individual user.
+## Install Windows Insider Preview Builds
+You can install Windows 10 Insider Preview builds directly on individual devices, manage installation across multiple devices in an organization, or install on a virtual machine.
->[!IMPORTANT]
->The account performing these steps has to first be registered to the program individually. Additionally, Global Administrator privileges on the Azure AD domain are required.
+### Install on an individual device
-1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/).
-2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
+1. Open [Windows Insider Program settings](ms-settings:windowsinsider) (On your Windows 10 device, go to Start > Settings > Update & security > Windows Insider Program). To see this setting, you must have administrator rights to your device.
+2. Click **Get started** and follow the prompts to link your Microsoft or work account that you used to register as a Windows Insider.
->[!NOTE]
->At this point, the Windows Insider Program for Business only supports [Azure Active Directory (Azure AD)](/azure/active-directory/active-directory-whatis) (and not Active Directory on premises) as a corporate authentication method.
->
->If your company is currently not using Azure AD – but has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services – you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business.
+
+[](images/WIP4Biz_Prompts.png)
+
+### Install across multiple devices
+
+Administrators can install and manage Insider Preview builds centrally across multiple devices within their domain. To register a domain, you must be registered in the Windows Insider Program with your work account in Azure Active Directory and you must be assigned a **Global Administrator** role on that Azure AD domain. Also requires Windows 10 Version 1703 or later.
+
+To register a domain, follow these steps:
+
+1. **Register your domain with the Windows Insider Program**
+Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/for-business-organization-admin/) and control settings centrally.
+
+
+2. **Apply Policies**
+Once you have registered your enterprise domain, you can control how and when devices receive Windows Insider Preview builds on their devices. See: [How to manage Windows 10 Insider Preview builds across your organization](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business).
+
+>[!Note]
+>- The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
+>- Currently, the Windows Insider Program for Business supports [Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/active-directory-whatis)--but not on-premises Active Directory--as a corporate authentication method.
+>- If your company has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services--you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business.
+>- If you do not have an AAD account, install Insider Preview builds on individual devices with a registered Microsoft account.
+
+### Install on a virtual machine
+This option enables you to run Insider Preview builds without changing the Windows 10 production build already running on a device.
+
+For guidance on setting up virtual machines on your device, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/).
+
+To download the latest Insider Preview build to run on your virtual machine, see
+[Windows Insider Preview downloads](https://www.microsoft.com/software-download/windowsinsiderpreviewadvanced)
## Manage Windows Insider Preview builds
-Starting with Windows 10, version 1709, administrators can control how and when devices receive Windows Insider Preview builds on their devices.
+Starting with Windows 10, version 1709, administrators can control how and when devices receive Windows Insider Preview builds.
The **Manage preview builds** setting gives enables or prevents preview build installation on a device. You can also decide to stop preview builds once the release is public.
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
@@ -96,60 +105,63 @@ The **Branch Readiness Level** settings allows you to choose between preview [fl
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
* MDM: [**Update/BranchReadinessLevel**](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel)
-
+
### Individual enrollment
If you want to manage Windows Insider preview builds prior to Windows 10, version 1709, or wish to enroll a single device, follow these steps:
1. Enroll your device by going to **Start > Settings > Update & security > Windows Insider Program** and selecting **Get Started**. Sign-in using the account you used to register for the Windows Insider Program.
-2. After reading the privacy statement and clicking **Next**, **Confirm** and schedule a restart.
-3. You are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Windows Insider level. The device receives the most recent Windows Insider build for the Windows Insider level you select.
+2. Read the privacy statement and then click **Next**, **Confirm**,
+3. Schedule a restart. You are now ready to install your first preview build.
+4. To install the first preview, open **Start** > **Settings** > **Update & security** > **Windows Insider Program** and select your Windows Insider level. The device receives the most recent Windows Insider build for the Windows Insider level you select.
>[!NOTE]
->To enroll your PC, you’ll require administration rights on the machine and it needs to be running Windows 10, Version 1703 or later. If you are already registered in the Windows Insider Program using your Microsoft account, you’ll need to [switch enrollment to the organizational account](#how-to-switch-between-your-msa-and-your-corporate-aad-account).
+>To enroll your device, you’ll require administration rights on the device, which must be running Windows 10, Version 1703 or later. If you are already registered in the Windows Insider Program using your Microsoft account, you’ll need to [switch enrollment to the organizational account](#how-to-switch-between-your-msa-and-your-corporate-aad-account).
>[!TIP]
>Administrators have the option to use [Device Health](/windows/deployment/update/device-health-monitor) in Windows Analytics to monitor devices running Windows 10 Insider Preview builds.
## Flight rings
-Flighting rings are used to evaluate the quality of our software as it is released to progressively larger audiences. We will flight a Feature Update, application, etc. to the first ring if it passes all required automated testing in the lab. The flight will continue to be evaluated against a set of criteria to ensure it is ready to progress to the next ring.
+Flight rings are used to evaluate the quality of our software as it is released to progressively larger audiences. We will flight a Feature Update, application, etc. to the first ring if it passes all required automated testing in the lab. The flight will continue to be evaluated against a set of criteria to ensure it is ready to progress to the next ring.
These are the available flight rings:
### Release Preview
-Best for Insiders who enjoy getting early access to updates for the Semi-Annual Channel, Microsoft applications, and drivers, with minimal risk to their devices, and still want to provide feedback to make Windows devices great.
+Best for Insiders who prefer to get early access to updates for the Semi-Annual Channel, Microsoft applications, and drivers, with minimal risk to their devices, and still want to provide feedback to make Windows devices great.
-Insiders on this level receive builds of Windows just before Microsoft releases them to the Semi-Annual Channel. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
+Insiders on this level receive builds of Windows just before Microsoft releases them to the Semi-Annual Channel. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider devices.
-* The Release Preview Ring will only be visible when your Windows build version is the same as the Semi-Annual Channel.
-* To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows.
+The Release Preview Ring will only be visible when your Windows build version is the same as the Semi-Annual Channel.
+
+To move from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for device) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows.
### Slow
-The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build.
+The Slow Windows Insider level is for users who prefer to see new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build.
* Builds are sent to the Slow Ring after feedback has been received from Windows Insiders within the Fast Ring and analyzed by our Engineering teams.
* These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis.
-* These builds still may have issues that would be addressed in a future flight.
+* These builds still might have issues that would be addressed in a future flight.
### Fast
-Best for Windows Insiders who enjoy being the first to get access to builds and feature updates, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great.
+Best for Windows Insiders who prefer being the first to get access to builds and feature updates--with some risk to their devices--in order to identify issues, and provide suggestions and ideas to make Windows software and devices great.
-* Windows Insiders with devices in the Fast Ring should be prepared for more issues that may block key activities that are important to you or may require significant workarounds.
-* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features may work on some devices but may fail in other device configurations.
+* Windows Insiders with devices in the Fast Ring should be prepared for more issues that might block key activities that are important to you or might require significant workarounds.
+* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features might work on some devices but might fail in other device configurations.
* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked.
-* Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community forum.
+* Remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community forum.
>[!NOTE]
->Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete.
+>Once your device is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your device will be auto-targeted for the next available flight for your selected ring. For the first build on any given device, this might take up to 24 hours to complete.
### How to switch between flight rings
-During your time in the Windows Insider Program, you may want to change between flight rings for any number of reasons. Starting with Windows 10, version 1709, use the **Branch Readiness Level** to switch between flight rings.
+During your time in the Windows Insider Program, you might want to change between flight rings for any number of reasons. Starting with Windows 10, version 1709, use the **Branch Readiness Level** to switch between flight rings.
+
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
* MDM: [**Update/BranchReadinessLevel**](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel)
@@ -161,6 +173,7 @@ To switch flights prior to Windows 10, version 1709, follow these steps:
* [Windows Insider Slow](#slow)
* [Release Preview](#release-preview)
+
## How to switch between your MSA and your Corporate AAD account
If you were using your Microsoft Account (MSA) to enroll to the Windows Insider Program, switch to your organizational account by going to **Settings > Updates & Security > Windows Insider Program**, and under **Windows Insider account** select **Change**.
@@ -173,11 +186,11 @@ If you were using your Microsoft Account (MSA) to enroll to the Windows Insider
## Sharing Feedback Via the Feedback Hub
As you know a key benefit to being a Windows Insider is Feedback. It’s definitely a benefit to us, and we hope it’s a benefit to you. Feedback is vital for making changes and improvements in Windows 10. Receiving quality and actionable feedback is key in achieving these goals.
-Please use the [**Feedback Hub App**](feedback-hub://?referrer=wipForBizDocs&tabid=2) to submit your feedback to Microsoft.
+Use the [**Feedback Hub App**](feedback-hub://?referrer=wipForBizDocs&tabid=2) to submit your feedback to Microsoft.
-When providing feedback, please consider the following:
-1. Check for existing feedback on the topic you are preparing to log. Another user may have already shared the same feedback. If they have, please “upvote” the existing feedback to help prevent duplicate submissions. Adding additional comments to existing feedback can help others by providing clarity to existing information or additional scenarios to review.
-2. Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible.
+When providing feedback, consider the following:
+* Check for existing feedback on the topic you are preparing to log. Another user might have already shared the same feedback. If they have, “upvote” the existing feedback to help prevent duplicate submissions. Adding additional comments to existing feedback can help others by providing clarity to existing information or additional scenarios to review.
+* Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible.
>[!TIP]
>You can then track feedback provided by all users in your organization through the Feedback Hub. Simply filter by **My Organization**.
@@ -189,7 +202,7 @@ When providing feedback, please consider the following:
### User consent requirement
-With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this:
+Feedback Hub needs the user’s consent to access their AAD account profile data (we read their name, organizational tenant ID, and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this:
@@ -212,7 +225,7 @@ To do this through the **classic Azure portal**:
2. Switch to the **Active Directory** dashboard.
3. Select the appropriate directory and go to the **Configure** tab.
-4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**.
+4. Under the **integrated applications** section, enable **Users might give applications permissions to access their data**.
To do this through the **new Azure portal**:
@@ -228,7 +241,7 @@ To do this through the **new Azure portal**:
## Not receiving Windows 10 Insider Preview build updates?
-In some cases, your PC may not update to the latest Windows Insider Preview build as expected. Here are items that you can review to troubleshoot this issue:
+In some cases, your device might not update to the latest Windows Insider Preview build as expected. Here are items that you can review to troubleshoot this issue:
### Perform a manual check for updates
Go to **Settings > Updates & Security**. Review available updates or select **Check for updates**.
@@ -240,51 +253,59 @@ Go to **Settings > Updates & Security**. Review available updates or select **Ch
Go to **Settings > Updates & Security > Activation** to verify Windows is activated.
### Make sure your corporate account in AAD is connected to your device
-Open **Settings \ Accounts \ Access work or school**. If your PC is not listed as connected to your account in AAD, click Connect and enter your AAD account.
+Open **Settings \ Accounts \ Access work or school**. If your device is not listed as connected to your account in AAD, click Connect and enter your AAD account.
### Make sure you have selected a flight ring
Open **Settings > Update & Security > Windows Insider Program** and select your flight ring.
### Have you recently done a roll-back?
-If so, please double-check your flight settings under **Settings > Update & Security > Windows Insider Program**.
+If so, double-check your flight settings under **Settings > Update & Security > Windows Insider Program**.
-### Did you do a clean install?
-After a clean-install and initial setup of a Microsoft or corporate account (even one that has been used previously for flighting) the appropriate targeting needs to take place for your PC. This background process is known as Compatibility Checker and will run during idle time on your PC. This process may take up to 24 hours. Please leave your PC turned on to ensure this occurs in timely manner.
+### Did you do a clean installion?
+After a clean installation and initial setup of a Microsoft or corporate account (even one that has been used previously for flighting) the appropriate targeting needs to take place for your device. This background process is known as Compatibility Checker and will run during idle time on your device. This process might take up to 24 hours. To ensure that this occurs in a timely manner, leave your device turned on.
### Are there known issues for your current build?
-On rare occasion, there may be an issue with a build that could lead to issues with updates being received. Please check the most recent Blog Post or reach out to the Windows Insider team on Twitter for verification (*@WindowsInsider*). You can also check the **Feedback Hub** for announcements and known issues.
+On rare occasion, there might be an issue with a build that could lead to issues with updates being received. Check the most recent blog post or contact the Windows Insider team on Twitter for verification (*@WindowsInsider*). You can also check the **Feedback Hub** for announcements and known issues.
## Exiting flighting
-After you’ve tried the latest Windows Insider Preview builds, you may want to opt out. In order to do that, go to **Settings > Update & Security > Windows Insider Program** and select **Stop Insider Preview Builds**. Follow the on-screen instructions to stop flighting to your device.
+After you’ve tried the latest Windows Insider Preview builds, you might want to opt out. In order to do that, go to **Settings > Update & Security > Windows Insider Program** and select **Stop Insider Preview Builds**. Follow the on-screen instructions to stop flighting to your device.
-To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows.
+To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for device) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows.
## Unregister
-If you no longer plan to manage Windows Insider Preview policies for your organization, you will need to [unregister your domain with the Windows Insider Program](https://insider.windows.com/en-us/insiderorgleaveprogram/).
+If you no longer plan to manage Windows Insider Preview policies for your organization, you will need to [unregister your domain with the Windows Insider Program](https://insider.windows.com/insiderorgleaveprogram/).
Unregistering will not allow any other administrators at your organization to continue to set policies to manage Windows Insider Preview builds across your organization.
-Your individual registration with the Insider program will not be impacted. If you wish to leave the Insider program, see the [leave the program](https://insider.windows.com/en-us/how-to-overview/#leave-the-program) instructions.
+Your individual registration with the Insider program will not be impacted. If you wish to leave the Insider program, see the [leave the program](https://insider.windows.com/how-to-overview/#leave-the-program) instructions.
>[!IMPORTANT]
>Once your domain is unregistered, setting the **Branch Readiness Level** to preview builds will have no effect. Return this setting to its unconfigured state in order to enable users to control it from their devices.
+## Community
+
+Windows Insiders are a part of a global community focused on innovation, creativity, and growth in their world.
+
+The Windows Insider program enables you to deepen connections to learn from peers and to connect to subject matter experts (inside Microsoft, Insiders in your local community and in another country) who understand your unique challenges, and who can provide strategic advice on how to maximize your impact.
+
+Collaborate and learn from experts in the [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram)
+
+
## Additional help resources
-* [**Windows Blog**](https://blogs.windows.com/blog/tag/windows-insider-program/) - With each new build release we publish a Windows Blog post that outlines key feature changes as well as known issues that Insiders may encounter while using the build.
+* [**Windows Blog**](https://blogs.windows.com/blog/tag/windows-insider-program/) - With each new build release we publish a Windows Blog post that outlines key feature changes as well as known issues that Insiders might encounter while using the build.
* [**Microsoft Technical Community for Windows Insiders**](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) - Engage with Windows Insiders around the world in a community dedicated to the Windows Insider Program.
-* [**Windows Insider Preview community forum**](https://answers.microsoft.com/en-us/insider/forum/insider_wintp) - Answers is Microsoft’s forum platform and there is an entire area dedicated to the Windows Insider Program. Insiders can filter between PC, Office, Edge, and many others.
+* [**Windows Insider Preview community forum**](https://answers.microsoft.com/en-us/insider/forum/insider_wintp) - Answers is Microsoft’s forum platform and there is an entire area dedicated to the Windows Insider Program. Insiders can filter between device, Office, Edge, and many others.
## Learn More
- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
-
## Related Topics
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
\ No newline at end of file
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
diff --git a/windows/deployment/update/windows-analytics-overview.md b/windows/deployment/update/windows-analytics-overview.md
new file mode 100644
index 0000000000..d500f271dd
--- /dev/null
+++ b/windows/deployment/update/windows-analytics-overview.md
@@ -0,0 +1,51 @@
+---
+title: Windows Analytics
+description: Introduction and overview of Windows Analytics
+keywords: Device Health, Upgrade Readiness, Update Compliance, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.date: 03/09/2018
+ms.pagetype: deploy
+author: jaimeo
+---
+
+# Windows Analytics overview
+
+Windows Analytics is a set of solutions for Microsoft Operations Management Suite (OMS) that provide you with extensive data about the state of devices in your deployment. There are currently three solutions which you can use singly or in any combination:
+
+## Device Health
+
+[Device Health](device-health-get-started.md) provides the following:
+
+- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced
+- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes
+- Notification of Windows Information Protection misconfigurations that send prompts to end users
+
+
+## Update Compliance
+
+[Update Compliance](update-compliance-get-started.md) shows you the state of your devices with respect to the Windows updates so that you can ensure that they are on the most current updates as appropriate. In addition, Update Compliance provides the following:
+
+- Dedicated drill-downs for devices that might need attention
+- An inventory of devices, including the version of Windows they are running and their update status
+- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices
+- An overview of Windows Update for Business deferral configurations (Windows 10, version 1607 and later)
+- Powerful built-in log analytics to create useful custom queries
+- Cloud-connected access utilizing Windows 10 diagnostic data means no need for new complex, customized infrastructure
+
+## Upgrade Readiness
+
+[Upgrade Readiness](../upgrade/upgrade-readiness-get-started.md) offers a set of tools to plan and manage the upgrade process end to end, allowing you to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Upgrade Readiness not only supports upgrade management from Windows 7 and Windows 8.1 to Windows 10, but also Windows 10 upgrades in the Windows as a Service model.
+
+Use Upgrade Readiness to get:
+
+- A visual workflow that guides you from pilot to production
+- Detailed computer and application inventory
+- Powerful computer-level search and drill-downs
+- Guidance and insights into application and driver compatibility issues, with suggested fixes
+- Data-driven application rationalization tools
+- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+- Data export to commonly used software deployment tools, including System Center Configuration Manager
+
+To get started with any of these solutions, visit the links for instructions to add it to OMS.
\ No newline at end of file
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index 16de770ebb..d3d5edf9a2 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
-ms.date: 01/26/2018
+ms.date: 02/22/2018
ms.localizationpriority: high
---
@@ -657,7 +657,7 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
- See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
+ See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
@@ -694,6 +694,39 @@ This error has more than one possible cause. Attempt [quick fixes](#quick-fixes)
+
+The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria.
+
+
+
+
+
+
+
+
Mitigation
+
+
+These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition.
+
+
+
+
+
+
+
Code
diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
index 5c45338c1d..858aed34fc 100644
--- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
+++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
@@ -18,7 +18,7 @@ This topic provides information on additional features that are available in Upg
The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
> [!NOTE]
-> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, data will be collected on all sites visited by Microsoft Edge on computers running Windows 10 version 1803 (including Insider Preview builds) or newer. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
+> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
### Install prerequisite security update for Internet Explorer
diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md
index aaea599116..023c8405c5 100644
--- a/windows/deployment/upgrade/upgrade-readiness-requirements.md
+++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md
@@ -82,7 +82,7 @@ Before you get started configuring Upgrade Anatlyics, review the following tips
**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
-**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported.
+**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. Upgrade Readiness is supported in all OMS regions; however, selecting an international OMS region does not prevent diagnostic data from being sent to and processed in Microsoft's secure data centers in the US.
### Tips
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index b0a1554fa0..43202e6dde 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -5,8 +5,6 @@
## [Configuration](/windows/configuration)
## [Client management](/windows/client-management)
## [Application management](/windows/application-management)
-## [Identity and access management](/windows/security/identity-protection)
-## [Information protection](/windows/security/information-protection)
-## [Threat protection](/windows/security/threat-protection)
+## [Security](/windows/security)
## [Troubleshooting](/windows/client-management/windows-10-support-solutions)
## [Other Windows client versions](https://docs.microsoft.com/previous-versions/windows)
\ No newline at end of file
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index e33995957d..781df2941e 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -39,6 +39,9 @@
"ms.topic": "article",
"ms.author": "brianlic",
"ms.date": "04/05/2017",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-hub"
diff --git a/windows/hub/index.md b/windows/hub/index.md
index 7d1f965f9d..73eff095ff 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -37,12 +37,6 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
Deployment
-
@@ -74,9 +62,9 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
- These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
- - [Read more about Windows as a Service](/windows/deployment/update/waas-overview)
+- [Read more about Windows as a Service](/windows/deployment/update/waas-overview)
## Related topics
[Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009)
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 18fe87fb57..394ca15239 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -36,6 +36,9 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"ms.author": "justinha"
},
"fileMetadata": {},
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index 5fb663bb6a..be893d7fb9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -20,7 +20,7 @@ ms.date: 07/27/2017
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.
-Below, you can find all the infromation you will need to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:
+Below, you can find all the information you will need to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:
1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 8999a8a950..7a1ed6b87c 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -14,6 +14,8 @@ metadata:
keywords: protect, company, data, Windows, device, app, management, Microsoft365, e5, e3
+ ms.localizationpriority: high
+
author: brianlic-msft
ms.author: brianlic
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index b933b18be6..7bbc2ad155 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -17,6 +17,7 @@
## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
###Get started
+<<<<<<< HEAD
#### [Minimum requirements](windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md)
#### [Validate licensing and complete setup](windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
@@ -40,6 +41,32 @@
#### [Portal overview](windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md)
#### [View the Security operations dashboard](windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md)
#### [View the Security analytics dashboard](windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+=======
+#### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
+#### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+#### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
+#### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
+#### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
+### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+#### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
+##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+##### [Configure endpoints using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
+##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+#### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+#### [Run a detection test on a newly onboarded endpoint](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
+#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
+#### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Secure score dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Threat analytics dashboard](windows-defender-atp\threat-analytics-windows-defender-advanced-threat-protection.md)
+>>>>>>> 49fa7cb75f8464a1cc3cab0259181f7e031ff74b
###Investigate and remediate threats
####Alerts queue
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index 6f5966a3e8..20caac1504 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -31,9 +31,9 @@ This subcategory allows you to audit events generated by changes to security gro
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
+| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
+| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
**Events List:**
diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md
index dd2b27f046..79880c8d9b 100644
--- a/windows/security/threat-protection/change-history-for-threat-protection.md
+++ b/windows/security/threat-protection/change-history-for-threat-protection.md
@@ -17,6 +17,7 @@ This topic lists new and updated topics in the [Threat protection](index.md) doc
New or changed topic | Description
---------------------|------------
[Security Compliance Toolkit](security-compliance-toolkit-10.md) | Added Office 2016 Security Baseline.
+[Audit security group management](auditing/audit-security-group-management.md)| Added recommendation to audit Failure events.
## January 2018
|New or changed topic |Description |
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index 86e3a1b15f..b32948c986 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -34,7 +34,7 @@ The **Interactive logon: Prompt user to change password before expiration** poli
### Location
-Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
index ad3743b16b..09fefe72e5 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender AV reference for management tools
-description: Learn how Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line can be used to manage Windows Defender AV
+title: Manage Windows Defender AV in your business
+description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line to manage Windows Defender AV
keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -9,12 +9,12 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: iaanw
-ms.author: iawilt
-ms.date: 08/26/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 03/01/2018
---
-# Reference topics for management and configuration tools
+# Manage Windows Defender AV in your business
**Applies to:**
@@ -24,7 +24,7 @@ ms.date: 08/26/2017
- Enterprise security administrators
-Windows Defender Antivirus can be managed and configured with the following tools:
+You can manage and configure Windows Defender Antivirus with the following tools:
- Group Policy
- System Center Configuration Manager and Microsoft Intune
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
index 96199b29be..ab4cd78ac7 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Configure always-on real-time protection in Windows Defender AV
-description: Enable and configure real-time protectoin features such as behavior monitoring, heuristics, and machine-learning in Windows Defender AV
+description: Enable and configure real-time protection features such as behavior monitoring, heuristics, and machine-learning in Windows Defender AV
keywords: real-time protection, rtp, machine-learning, behavior monitoring, heuristics
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -100,4 +100,4 @@ The main real-time protection capability is enabled by default, but you can disa
## Related topics
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index b30883b882..9f225964af 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -50,7 +50,7 @@ PUAs are blocked when a user attempts to download or install the detected file,
- The file is being scanned from the browser
- The file is in a folder with "**downloads**" in the path
- The file is in a folder with "**temp**" in the path
-- The file is on the user's Dekstop
+- The file is on the user's Desktop
- The file does not meet one of these conditions and is not under *%programfiles%*, *%appdata%*, or *%windows%*
The file is placed in the quarantine section so it won't run.
diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
index 07eb24860e..991d95bf12 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
@@ -29,7 +29,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Net
|Policy name|Supported versions|Description|
|-----------|------------------|-----------|
|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
-|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may use "." as a wildcard character to automatically trust subdomains. Configuring '.constoso.com' will automatically trust 'subdomain1.contoso.com', 'subdomain2.contoso.com etc. |
|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
### Application-specific settings
diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
index fea04741f7..489d6db5d4 100644
--- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 11/09/2017
+ms.date: 03/12/2018
---
# View and organize the Windows Defender Advanced Threat Protection Alerts queue
@@ -135,7 +135,7 @@ Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together
## Related topics
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
-- [View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index a15378b6ad..a650f8fe1f 100644
--- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 11/14/2017
+ms.date: 03/06/2018
---
# Windows Defender ATP data storage and privacy
@@ -40,6 +40,15 @@ Microsoft uses this data to:
Microsoft does not use your data for advertising or for any other purpose other than providing you the service.
+## Data protection and encryption
+The Windows Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure.
+
+
+There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Windows Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/en-us/azure/security/security-azure-encryption-overview).
+
+In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
+
+
## Do I have the flexibility to select where to store my data?
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not under any circumstance, transfer the data from the specified geolocation into another geolocation.
diff --git a/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
index 2ff55bdc25..fc7325015e 100644
--- a/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
-title: Enable Security Analytics in Windows Defender ATP
-description: Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard.
-keywords: enable security analytics, baseline, calculation, analytics, score, security analytics dashboard, dashboard
+title: Enable Secure score security controls in Windows Defender ATP
+description: Set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard.
+keywords: secure score, baseline, calculation, score, secure score dashboard, dashboard, windows defender antivirus, av, exploit guard, application guard, smartscreen
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -10,10 +10,10 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 10/16/2017
+ms.date: 03/12/2018
---
-# Enable Security Analytics security controls
+# Enable Secure score security controls
**Applies to:**
@@ -25,21 +25,21 @@ ms.date: 10/16/2017
-Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
+Set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
>[!NOTE]
>Changes might take up to a few hours to reflect on the dashboard.
-1. In the navigation pane, select **Preferences setup** > **Security Analytics**.
+1. In the navigation pane, select **Preferences setup** > **Secure score**.
- 
+ 
2. Select the security control, then toggle the setting between **On** and **Off**.
3. Click **Save preferences**.
## Related topics
-- [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index 4c24bf012f..b25f671461 100644
--- a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 10/23/2017
+ms.date: 03/12/2018
---
# View and organize the Windows Defender ATP Machines list
@@ -80,7 +80,7 @@ Filter the list to view specific machines that are well configured or require at
- **Well configured** - Machines have the Windows Defender security controls well configured.
- **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization.
-For more information, see [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md).
+For more information, see [View the Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md).
**Malware category alerts**
Filter the list to view specific machines grouped together by the following malware categories:
diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
index adef15a6bb..14d4fc1ac4 100644
--- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: DulceMV
ms.localizationpriority: high
-ms.date: 10/19/2017
+ms.date: 03/12/2018
---
# Windows Defender Advanced Threat Protection portal overview
@@ -51,11 +51,11 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
(1) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**.
-**Dashboards** | Enables you to view the Security operations or the Security analytics dashboard.
-**Alerts queue** | Enables you to view separate queues of new, in progress, resolved alerts, alerts assigned to you, and suppression rules.
+**Dashboards** | Allows you to access the Security operations or the Secure score dashboard.
+**Alerts queue** | Allows you to view separate queues: new, in progress, resolved alerts, alerts assigned to you, and suppression rules.
**Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
-**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Security analytics dashboard.
+**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure score dashboard.
**Endpoint management** | Provides access to endpoints such as clients and servers. Allows you to download the onboarding configuration package for endpoints. It also provides access to endpoint offboarding.
**Community center** | Access the Community center to learn, collaborate, and share experiences about the product.
(2) Main portal| Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 6708631bb3..c3162d20c2 100644
--- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 11/09/2017
+ms.date: 03/06/2018
---
# Take response actions on a file
@@ -48,7 +48,7 @@ The **Stop and Quarantine File** action includes stopping running processes, qua
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
>[!NOTE]
->You’ll be able to remove the file from quarantine at any time.
+>You’ll be able to restore the file from quarantine at any time.
### Stop and quarantine files
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
@@ -101,7 +101,7 @@ You can roll back and remove a file from quarantine if you’ve determined that
```
> [!NOTE]
-> Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days.
+> Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
## Block files in your network
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
diff --git a/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
index a7f177c650..6ea27c4f75 100644
--- a/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
-title: View the Security Analytics dashboard in Windows Defender ATP
-description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles.
-keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverage, security control, improvement opportunities, edr, antivirus, av, os security updates
+title: View the Secure score dashboard in Windows Defender ATP
+description: Use the Secure score dashboard to assess and improve the security state of your organization by analyzing various security control tiles.
+keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverage, security control, improvement opportunities, edr, antivirus, av, os security updates
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,10 +9,10 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
-ms.date: 11/17/2017
+ms.date: 03/12/2018
---
-# View the Windows Defender Advanced Threat Protection Security analytics dashboard
+# View the Windows Defender Advanced Threat Protection Secure score dashboard
**Applies to:**
@@ -27,18 +27,18 @@ ms.date: 11/17/2017
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-abovefoldlink)
-The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
+The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
>[!IMPORTANT]
> This feature is available for machines on Windows 10, version 1703 or later.
-The **Security analytics dashboard** displays a snapshot of:
+The **Secure score dashboard** displays a snapshot of:
- Organizational security score
- Security coverage
- Improvement opportunities
- Security score over time
-
+
## Organizational security score
The organization security score is reflective of the average score of all the Windows Defender security controls that are configured according to the recommended baseline. You can improve this score by taking the steps in configuring each of the security controls in the optimal settings.
@@ -52,7 +52,7 @@ The denominator is reflective of the organizational score potential and calculat
In the example image, the total points from the **Improvement opportunities** tile add up to 321 points for the six pillars from the **Security coverage** tile.
-You can set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard through the **Preferences settings**. For more information, see [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md).
+You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Preferences settings**. For more information, see [Enable Secure score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md).
## Security coverage
The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention.
@@ -241,7 +241,7 @@ For more information, see [Windows Defender SmartScreen](../windows-defender-sma
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
## Related topics
-- [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
+- [Enable Secure score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..e2bb30d5ac
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,54 @@
+---
+title: Windows Defender Advanced Threat Protection Threat analytics
+description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization.
+keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 03/06/2018
+---
+
+# Threat analytics for Spectre and Meltdown
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+
+[Spectre and Meltdown](https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/) is a new class of exploits that take advantage of critical vulnerabilities in the CPU processors, allowing attackers running user-level, non-admin code to steal data from kernel memory. These exploits can potentially allow arbitrary non-admin code running on a host machine to harvest sensitive data belonging to other apps or system processes, including apps on guest VMs.
+
+Mitigating these vulnerabilities involves a complex multivendor update. It requires updates to Windows and Microsoft browsers using the [January 2018 Security Updates from Microsoft](https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/858123b8-25ca-e711-a957-000d3a33cf99) and updates to processor microcode using fixes released by OEM and CPU vendors.
+
+## Prerequisites
+Note the following requirements and limitations of the charts and what you might be able to do to improve visibility of the mitigation status of machines in your network:
+
+- Only active machines running Windows 10 are checked for OS mitigations.
+- When checking for microcode mitgations, Windows Defender ATP currently checks for updates applicable to Intel CPU processors only.
+- To determine microcode mitigation status, machines must enable Windows Defender Antivirus and update to definition version 1.259.1545.0 or above.
+- To be covered under the overall mitigation status, machines must have both OS and microcode mitigation information.
+
+## Assess organizational risk with Threat analytics
+
+Threat analytics helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of the following mitigations:
+
+- **OS mitigation**: Identifies machines that have installed the January 2018 Security Updates from Microsoft and have not explicitly disabled any of the OS mitigations provided with these updates
+- **Microcode mitigation**: Identifies machines that have installed the necessary microcode updates or those that do not require them
+- **Overall mitigation status**: Identifies the completeness by which machines have mitigated against the Spectre and Meltdown exploits
+
+
+To access Threat analytics, from the navigation pane select **Dashboards** > **Threat analytics**.
+
+Click a section of each chart to get a list of the machines in the corresponding mitigation status.
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
index 1e32ef16a7..d6dbef14e6 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 10/16/2017
+ms.date: 02/26/2018
---
# Troubleshoot custom threat intelligence issues
@@ -33,15 +33,15 @@ This page provides detailed steps to troubleshoot issues you might encounter whi
## Learn how to get a new client secret
If your client secret expires or if you've misplaced the copy provided when you were enabling the custom threat intelligence application, you'll need to get a new secret.
-1. Login to the [Azure management portal](https://ms.portal.azure.com).
+1. Login to the [Azure management portal](https://portal.azure.com).
2. Select **Active Directory**.
3. Select your tenant.
-4. Click **Application**, then select your custom threat intelligence application. The application name is **WindowsDefenderATPThreatIntelAPI** (formerly known as **WindowsDefenderATPCustomerTiConnector**).
+4. Click **App registrations** > **All apps**. Then select the application name **WindowsDefenderATPThreatIntelAPI** (formerly known as **WindowsDefenderATPCustomerTiConnector**).
-5. Select **Keys** section, then provide a key description and specify the key validity duration.
+5. Under **Settings**, select **Keys**, then provide a key description and specify the key validity duration.
6. Click **Save**. The key value is displayed.
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index c384aeaa9e..4d77042ae0 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -34,13 +34,13 @@ This page provides detailed steps to troubleshoot issues you might encounter.
## Learn how to get a new client secret
If your client secret expires or if you've misplaced the copy provided when you were enabling the SIEM tool application, you'll need to get a new secret.
-1. Login to the [Azure management portal](https://ms.portal.azure.com).
+1. Login to the [Azure management portal](https://portal.azure.com).
2. Select **Azure Active Directory**.
3. Select your tenant.
-4. Click **Application**, then select your SIEM tool application. The application name is `https://windowsdefenderatpsiemconnector`.
+4. Click **App registrations** > **All apps**, then select your SIEM tool application. The application name is `https://windowsdefenderatpsiemconnector`.
5. Select **Keys** section, then provide a key description and specify the key validity duration.
@@ -48,6 +48,7 @@ If your client secret expires or if you've misplaced the copy provided when you
7. Copy the value and save it in a safe place.
+
## Error when getting a refresh access token
If you encounter an error when trying to get a refresh token when using the threat intelligence API or SIEM tools, you'll need to add reply URL for relevant application in Azure Active Directory.
diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
index 75aed7ba70..9ec694fdde 100644
--- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 02/13/2018
+ms.date: 03/12/2018
---
# Use the Windows Defender Advanced Threat Protection portal
@@ -31,7 +31,7 @@ You can use the Windows Defender ATP portal to carry out an end-to-end security
Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network.
-Use the **Security analytics** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization.
+Use the **Secure score** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization.
### In this section
@@ -40,6 +40,6 @@ Topic | Description
:---|:---
[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the portal layout and area descriptions.
[View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
-[View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Security Analytics dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
+[View the Windows Defender Advanced Threat Protection Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Secure score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index 42fe8383b5..a82528a68f 100644
--- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Windows Defender Advanced Threat Protection - Windows Defender
description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats.
-keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, endpoint behavioral sensor, cloud security, analytics, threat intelligence
+keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, endpoint behavioral sensor, cloud security, score, threat intelligence
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 11/13/2017
+ms.date: 03/12/2018
---
# Windows Defender Advanced Threat Protection
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index 817038ca1c..d75309c31b 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -9,8 +9,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
-author: iaanw
-ms.author: iawilt
+author: andreabichsel
+ms.author: v-anbic
ms.date: 12/12/2017
---
@@ -33,10 +33,10 @@ Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrus
There are four features in Windows Defender EG:
-- [Exploit protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps
-- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware
-- [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices
-- [Controlled folder access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware
+- [Exploit protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV).
+- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV.
+- [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV.
+- [Controlled folder access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV.
You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index 1bbc64ff9e..34346b0e9c 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -37,6 +37,9 @@
"ms.topic": "article",
"ms.author": "trudyha",
"ms.date": "04/05/2017",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-whats-new"
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index fb858f7d9e..b296cc0cdf 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -81,7 +81,7 @@ Additional changes for Windows Hello in Windows 10, version 1607:
### VPN
-- The VPN client can integrate with the Conditional Access Framework, a cloud-pased policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
+- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 3b14218ea5..9beb4709cd 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -122,7 +122,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
-Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787].
+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/en-au/windows/mt782787).
### Windows Defender Antivirus
Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
@@ -169,7 +169,7 @@ For Windows Phone devices, an administrator is able to initiate a remote PIN res
For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**.
-For more details, check out [What if I forget my PIN?](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password#what-if-i-forget-my-pin).
+For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
### Windows Information Protection (WIP) and Azure Active Directory (Azure AD)
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
3
- 
- 
- 
-