diff --git a/education/windows/index.md b/education/windows/index.md index 49ea89c1eb..9d3f183b1d 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -44,7 +44,7 @@ author: CelesteDG

[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.

Try it out: Windows 10 deployment (for education)
Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.

For the best experience, use this guide in tandem with the TechNet Virtual Lab: IT Pro Try-It-Out.

-### ![Switch to Windows 10 for Education](images/windows.png) Switch +## ![Switch to Windows 10 for Education](images/windows.png) Switch

[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.

diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 7c998c3e0b..39f0826ba4 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -70,7 +70,7 @@ To make this as seamless as possible, in your Azure AD tenant: ![Set maximum number of devices per user to unlimited](images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png) -- Clear your Azure AD tokens from time to time. Your tenant can only have 50 automated Azure AD tokens active at any one time. +- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time. In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these. diff --git a/education/windows/switch-to-pro-education.md b/education/windows/switch-to-pro-education.md index e5affe8444..a42e464435 100644 --- a/education/windows/switch-to-pro-education.md +++ b/education/windows/switch-to-pro-education.md @@ -159,7 +159,7 @@ Once you enable the setting to switch to Windows 10 Pro Education, the switch wi **To turn on the automatic switch to Windows 10 Pro Education** -1. Sign in to [Microsoft Store for Education](https://businessstore.microsoft.com/) with your work or school account. +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your work or school account. If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use. @@ -341,7 +341,7 @@ Once the automatic switch to Windows 10 Pro Education is turned off, the change **To roll back Windows 10 Pro Education to Windows 10 Pro** -1. Log in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic switch. +1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic switch. 2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link. 3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**. diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-windows-store-for-business-account-settings.md index e2266ea8a6..637220cb67 100644 --- a/store-for-business/update-windows-store-for-business-account-settings.md +++ b/store-for-business/update-windows-store-for-business-account-settings.md @@ -61,13 +61,13 @@ Taxes for Microsoft Store for Business purchases are determined by your business - Switzerland - United Kingdom -These countries can provide their VAT number or local equivalent in **Payments & billing**. However, they can only acquire free apps. +These countries can provide their VAT number or local equivalent in **Payments & billing**. |Market| Tax identifier | |------|----------------| -| Brazil | CPNJ (required), CCMID (optional) | -| India | CST ID, VAT ID | -| Taiwan | Unified business number| +| Brazil | CNPJ (required) | +| India | CST ID, VAT ID (both are optional) | +| Taiwan | VAT ID (optional) | ### Tax-exempt status diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md index 92902b6347..0edcf1dfa2 100644 --- a/store-for-business/windows-store-for-business-overview.md +++ b/store-for-business/windows-store-for-business-overview.md @@ -157,6 +157,193 @@ For more information, see [Manage settings in the Store for Business](manage-set Microsoft Store for Business and Education is currently available in these markets. + +### Support for free and paid apps @@ -294,22 +481,29 @@ Microsoft Store for Business and Education is currently available in these marke
Support for free and paid apps
- - - - - - - -
Support for free apps only
-
    -
  • Brazil
    • -
  • India
    • -
  • Russia
    • -
  • Taiwan
    • -
  • Ukraine
    • -
-
+### Support for free apps +Customers in these markets can use Microsoft Store for Business and Education to acquire free apps: +- India +- Russia + +### Support for free apps and Minecraft: Education Edition +Customers in these markets can use Microsoft Store for Business and Education to acquire free apps and Minecraft: Education Edition: +- Brazil +- Taiwan +- Ukraine + +This table summarize what customers can purchase, depending on which Microsoft Store they are using. + +| Store | Free apps | Minecraft: Education Edition | +| ----- | --------- | ---------------------------- | +| Microsoft Store for Business | supported | not supported | +| Microsoft Store for Education | supported | supported; invoice payment required | + +> [!NOTE] +> **Microsoft Store for Education customers with support for free apps and Minecraft: Education Edition** +- Admins can acquire free apps from **Microsoft Store for Education**. +- Admins need to use an invoice to purchase **Minecraft: Education Edition**. For more information, see [Invoice payment option](https://docs.microsoft.com/education/windows/school-get-minecraft#invoices). +- Teachers, or people with the Basic Purachaser role, can acquire free apps, but not **Minecraft: Education Edition**. ## Privacy notice diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md index 130251d4b2..c5c53ac5e6 100644 --- a/windows/access-protection/enterprise-certificate-pinning.md +++ b/windows/access-protection/enterprise-certificate-pinning.md @@ -189,9 +189,12 @@ Sign-in to the reference computer using domain administrator equivalent credenti 8. Right-click the **Registry** node and click **New**. 9. In the **New Registry Properties** dialog box, select **Update** from the **Action** list. Select **HKEY_LOCAL_MACHINE** from the **Hive** list. 10. For the **Key Path**, click **…** to launch the **Registry Item Browser**. Navigate to the following registry key and select the **PinRules** registry value name: + HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config + Click **Select** to close the **Registry Item Browser**. -11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REGBINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box. + +11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box. ![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png) diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 120dc8ffe8..57e0175c71 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -9,5 +9,5 @@ ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) ## [Windows libraries](windows-libraries.md) -## [Mobile Device Management](mdm/index.md) +## [Mobile device management protocol](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index 069a8486f3..ed4d8e0a6e 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -16,9 +16,8 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra > **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile. -  -For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). +To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/en-us/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. @@ -44,137 +43,103 @@ When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an When using the AssignedAccessXml in a provisioning package using the Windows Imaging and Configuration Designer (ICD) tool, do not use escaped characters. -  +Entry | Description +----------- | ------------ +ActionCenter | You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center. +ActionCenter | Example: `` +ActionCenter | In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled; **AboveLock/AllowActionCenterNotifications** and **AboveLock/AllowToasts**. For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md) +ActionCenter | You can also add the following optional attributes to the ActionCenter element to override the default behavior: **aboveLockToastEnabled** and **actionCenterNotificationEnabled**. Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled). In this example, the Action Center is enabled and both policies are disabled.: `` +ActionCenter | These optional attributes are independent of each other. In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set. `` +StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis <400epx or 6 columns on devices with short axis >=400epx. **Large** - sets the width to 6 columns on devices with short axis <400epx or 8 columns on devices with short axis >=400epx. +StartScreenSize | If you have existing lockdown XML, you must update it if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `Large` +Application | Provide the product ID for each app that will be available on the device. You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid). +Application | To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface. Example: `` +Application | modern app notification +Application | Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2. For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 (zero) indicates the first column, a value of 1 indicates the second column, and so on. Include autoRun as an attribute to configure the application to run automatically. + +Application example: +``` syntax + + + Large + + 0 + 2 + + + +``` + +Entry | Description +----------- | ------------ +Application | Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior. To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar. + +Application example: +``` syntax + + + + + Large + + 1 + 4 + + + + + + + Large + + 1 + 6 + + + + +``` + +Entry | Description +----------- | ------------ +Folder | A folder should be contained in <Applications/> node among with other <Application/> nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder. + +Folder example: +``` syntax + + + Large + + 0 + 2 + + + +``` +An application that belongs in the folder would add an optional attribute **ParentFolderId**, which maps to **folderId** of the folder. In this case, the location of this application will be located inside the folder. + +``` syntax + + + Medium + + 0 + 0 + + 2 + + +``` + +Entry | Description +----------- | ------------ +Settings | Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file. + +> [!Important] +> Do not specify a group entry without a page entry because it will cause an undefined behavior. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EntryDescription

ActionCenter

You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center.

-

Example:

-
<ActionCenter enabled="true"></ActionCenter>
-

In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled:

-
    -
  • AboveLock/AllowActionCenterNotifications
    • -
  • AboveLock/AllowToasts
    • -
-

For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md)

-

You can also add the following optional attributes to the ActionCenter element to override the default behavior:

-
    -
  • aboveLockToastEnabled
    • -
  • actionCenterNotificationEnabled
    • -
-

Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled).

-

In this example, the Action Center is enabled and both policies are disabled.

-
<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>
-

These optional attributes are independent of each other.

-

In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set.

-
<ActionCenter enabled="true" actionCenterNotificationEnabled="0"/>

StartScreenSize

Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions.

-

Valid values:

-
    -
  • Small sets the width to 4 columns on device with short axis <400epx or 6 columns on devices with short axis >=400epx.
    • -
  • Large sets the width to 6 columns on devices with short axis <400epx or 8 columns on devices with short axis >=400epx.
    • -
-

If you have existing lockdown XML, you must update it if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4.

-

Example:

-
<StartScreenSize>Large</StartScreenSize>

Application

Provide the product ID for each app that will be available on the device.

-

You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid).

-

To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface.

-
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"/>
-modern app notification -

Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2.

-

For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 indicates the first column, a value of 1 indicates the second column, and so on.

-

Include autoRun as an attribute to configure the application to run automatically.

-

Example:

-
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}" autoRun="true">
-   <PinToStart>
-      <Size>Large</Size>
-      <Location>
-         <LocationX>0</LocationX>
-         <LocationY>2</LocationY>
-      </Location>
-   </PinToStart>
-</Application>
-

Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior.

-

To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar.

-
<Apps>
-    <!-- Outlook Calendar -->
-    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" 
-aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
-        <PinToStart>
-            <Size>Large</Size>
-            <Location>
-                <LocationX>1</LocationX>
-                <LocationY>4</LocationY>
-            </Location>
-        </PinToStart>
-    </Application>
-    <!-- Outlook Mail-->
-    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" 
-aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
-        <PinToStart>
-            <Size>Large</Size>
-            <Location>
-                <LocationX>1</LocationX>
-                <LocationY>6</LocationY>
-            </Location>
-        </PinToStart>
-    </Application>
-</Apps>

Folder

A folder should be contained in <Applications/> node among with other <Application/> nodes, it shares most grammar with the Application Node, folderId is mandatory, folderName is optional, which is the folder name displayed on Start. folderId is a unique unsigned integer for each folder.

-

For example:

-
<Application folderId="4" folderName="foldername">
-    <PinToStart>
-        <Size>Large</Size>
-        <Location>
-            <LocationX>0</LocationX>
-            <LocationY>2</LocationY>
-        </Location>
-    </PinToStart>
-</Application>
-

An application that belongs in the folder would add an optional attribute ParentFolderId, which maps to folderId of the folder. In this case, the location of this application will be located inside the folder.

-
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
-    <PinToStart>
-        <Size>Medium</Size>
-        <Location>
-            <LocationX>0</LocationX>
-            <LocationY>0</LocationY>
-        </Location>
-        <ParentFolderId>2</ParentFolderId>
-    </PinToStart>
-</Application>

Settings

Settings pages

-

Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file.

-
-Important  Do not specify a group entry without a page entry because it will cause an undefined behavior. -
-
-  -
  • System (main menu) - SettingsPageGroupPCSystem
      @@ -278,9 +243,14 @@ aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsl
    • Extensibility - SettingsPageExtensibility
-

Quick action settings

-

Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page).

-

Note: Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703.

+ +**Quick action settings** + +Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page). + +> [!Note] +> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703. +

  • SystemSettings_System_Display_QuickAction_Brightness

    Dependencies - SettingsPageSystemDisplay, SettingsPageDisplay

    • @@ -315,277 +285,265 @@ aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsl

  • SystemSettings_QuickAction_Camera

    Dependencies - none

-

In this example, all settings pages and quick action settings are allowed. An empty <Settings> node indicates that none of the settings are blocked.

-
<Settings>
-</Settings>
-

In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.

-
<Settings> 
-  <System name="SettingsPageGroupPCSystem" /> 
-  <System name="SettingsPageDisplay" /> 
-  <System name="SettingsPageAppsNotifications" />
-  <System name="SettingsPageCalls" />
-  <System name="SettingsPageMessaging" /> 
-  <System name="SettingsPageBatterySaver" /> 
-  <System name="SettingsPageStorageSenseStorageOverview" />
-  <System name="SettingsPageGroupPCSystemDeviceEncryption" /> 
-  <System name="SettingsPageDrivingMode" /> 
-  <System name="SettingsPagePCSystemInfo" /> 
- </Settings>
-

To remove access to all of the settings in the system, the settings application would simply not be listed in the app list for a particular role.

Buttons

The following list identifies the hardware buttons on the device that you can lock down in ButtonLockdownList. When a user taps a button that is in the lockdown list, nothing will happen.

+ +In this example, all settings pages and quick action settings are allowed. An empty \ node indicates that none of the settings are blocked. + +``` syntax + + +``` + +In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names. + +``` syntax + + + + + + + + + + + + +``` + +Entry | Description +----------- | ------------ +Buttons | The following list identifies the hardware buttons on the device that you can lock down in ButtonLockdownList. When a user taps a button that is in the lockdown list, nothing will happen. +

  • Start

    -
    -Note   -

    Lock down of the Start button only prevents the press and hold event.

    -
    -
    -  -

  • Back

  • Search

  • Camera

  • Custom1

  • Custom2

    • -

  • Custom3

    -
    -Note   -

    Custom buttons are hardware buttons that can be added to devices by OEMs.

    -
    -
    -  -
    • +

  • Custom3

-

Example:

-
<Buttons>
-   <ButtonLockdownList>
-      <!-- Lockdown all buttons -->
-         <Button name="Search">
-         </Button>
-         <Button name="Camera">
-         </Button>
-         <Button name="Custom1">
-         </Button>
-         <Button name="Custom2">
-         </Button>
-         <Button name="Custom3">
-         </Button>
-   </ButtonLockdownList>
-

The Search and custom buttons can be remapped or configured to open a specific application. Button remapping takes effect for the device and applies to all users.

-
-Note   -

The lockdown settings for a button, per user role, will apply regardless of the button mapping.

-
-
-  -
-
-Warning   -

Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.

-
-
-  -
-

To remap a button in lockdown XML, you supply the button name, the button event (typically "press"), and the product ID for the application the button will open.

-

Example:

-
<ButtonRemapList>
-   <Button name="Search">
-      <ButtonEvent name="Press">
-         <!-- Alarms -->
-         <Application productId="{08179793-ED2E-45EA-BA12-BDE3EE9C3CE3}" parameters="" />
-          </ButtonEvent>
-   </Button>
-</ButtonRemapList>
-

Disabling navigation buttons

-

To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically "press").

-

The following section contains a sample lockdown XML file that shows how to disable navigation buttons.

-

Example:

-
<?xml version="1.0" encoding="utf-8"?>
-<HandheldLockdown version="1.0" >
-    <Default>
-        <ActionCenter enabled="false" />
-        <Apps>
-            <!-- Settings -->
-            <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
-                <PinToStart>
-                    <Size>Large</Size>
-                    <Location>
-                        <LocationX>0</LocationX>
-                        <LocationY>0</LocationY>
-                    </Location>
-                </PinToStart>
-            </Application>
 
-            <!-- Phone Apps -->
-            <Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
-                <PinToStart>
-                    <Size>Small</Size>
-                    <Location>
-                        <LocationX>2</LocationX>
-                        <LocationY>2</LocationY>
-                    </Location>
-                </PinToStart>
-            </Application>
-        </Apps>
-        <Buttons>
-            <ButtonLockdownList>
-                <Button name="Start">
-                    <ButtonEvent name="Press" />
-                </Button>
-                <Button name="Back">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Search">
-                    <ButtonEvent name="All" />
-                </Button>
-                <Button name="Camera">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom1">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom2">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom3">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-            </ButtonLockdownList>
-            <ButtonRemapList />
-        </Buttons>
-        <MenuItems>
-            <DisableMenuItems/>
-        </MenuItems>
-        <Settings>
-        </Settings>
-        <Tiles>
-            <EnableTileManipulation/>
-        </Tiles>
-        <StartScreenSize>Small</StartScreenSize>
-    </Default>
-</HandheldLockdown>

MenuItems

Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.

-

Example:

-
<MenuItems>
-   <DisableMenuItems/>
-</MenuItems>
-
-Important   -

If DisableMenuItems is not included in a profile, users of that profile can uninstall apps.

-
-
-  -

Tiles

Turning-on tile manipulation

-

By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile.

-

If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.

-
-Important   -

If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.

-
-
-  -
-

The following sample file contains configuration for enabling tile manipulation.

-
-Note   -

Tile manipulation is disabled when you don’t have a <Tiles> node in lockdown XML, or if you have a <Tiles> node but don’t have the <EnableTileManipulation/> node.

-
-
-  -
-

Example:

-
<?xml version="1.0" encoding="utf-8"?>
-<HandheldLockdown version="1.0" >
-    <Default>
-        <ActionCenter enabled="false" />
-        <Apps>
-            <!-- Settings -->
-            <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
-                <PinToStart>
-                    <Size>Large</Size>
-                    <Location>
-                        <LocationX>0</LocationX>
-                        <LocationY>0</LocationY>
-                    </Location>
-                </PinToStart>
-            </Application>
+> [!Note]  
+> Lock down of the Start button only prevents the press and hold event.  
+>
+> Custom buttons are hardware buttons that can be added to devices by OEMs.
 
-            <!-- Phone Apps -->
-            <Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
-                <PinToStart>
-                    <Size>Small</Size>
-                    <Location>
-                        <LocationX>2</LocationX>
-                        <LocationY>2</LocationY>
-                    </Location>
-                </PinToStart>
-            </Application>
-        </Apps>
-        <Buttons>
-            <ButtonLockdownList>
-                <Button name="Start">
-                    <ButtonEvent name="Press" />
-                </Button>
-                <Button name="Back">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Search">
-                    <ButtonEvent name="All" />
-                </Button>
-                <Button name="Camera">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom1">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom2">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom3">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-            </ButtonLockdownList>
-            <ButtonRemapList />
-        </Buttons>
-        <MenuItems>
-            <DisableMenuItems/>
-        </MenuItems>
-        <Settings>
-        </Settings>
-        <Tiles>
-            <EnableTileManipulation/>
-        </Tiles>
-        <StartScreenSize>Small</StartScreenSize>
-    </Default>
-</HandheldLockdown>

CSP Runner

Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.

+Buttons example: +``` syntax + + + + + + + + + +``` +The Search and custom buttons can be remapped or configured to open a specific application. Button remapping takes effect for the device and applies to all users. +> [!Note] +> The lockdown settings for a button, per user role, will apply regardless of the button mapping. +> +> Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role. + +To remap a button in lockdown XML, you supply the button name, the button event (typically "press"), and the product ID for the application the button will open. + +``` syntax + + + +``` +**Disabling navigation buttons** +To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically "press"). + +The following section contains a sample lockdown XML file that shows how to disable navigation buttons. + +``` syntax + + + + + + + + + Large + + 0 + 0 + + + + + + + + Small + + 2 + 2 + + + + + + + + + + + + + + + + + + + + + + + + + Small + + +``` + +Entry | Description +----------- | ------------ +MenuItems | Use **DisableMenuItems** to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create. + +> [!Important] +> If **DisableMenuItems** is not included in a profile, users of that profile can uninstall apps. + +MenuItems example: + +``` syntax + + + +``` + +Entry | Description +----------- | ------------ +Tiles | **Turning-on tile manipulation** - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. + +> [!Important] +> If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile. + +The following sample file contains configuration for enabling tile manipulation. + +> [!Note] +> Tile manipulation is disabled when you don’t have a `` node in lockdown XML, or if you have a `` node but don’t have the `` node. + +``` syntax + + + + + + + + + Large + + 0 + 0 + + + + + + + + Small + + 2 + 2 + + + + + + + + + + + + + + + + + + + + + + + + + Small + + +``` + +Entry | Description +----------- | ------------ +CSP Runner | Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.   **LockscreenWallpaper/** @@ -734,6 +692,8 @@ Not supported in Windows 10. Use doWipePersistProvisionedData in [RemoteWipe CS **Clock/TimeZone/** An integer that specifies the time zone of the device. The following table shows the possible values. +Supported operations are Get and Replace. + @@ -1161,9 +1121,6 @@ An integer that specifies the time zone of the device. The following table shows
-  - -Supported operations are Get and Replace. **Locale/Language/** The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](http://go.microsoft.com/fwlink/p/?LinkID=189567). @@ -1172,8 +1129,6 @@ The language setting is configured in the Default User profile only. > **Note**  Apply the Locale ID only after the corresponding language packs are built into and supported for the OS image running on the device. The specified language will be applied as the phone language and a restart may be required. -  - Supported operations are Get and Replace. ## OMA client provisioning examples diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index de4d589baf..5b81c0026b 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -154,9 +154,6 @@ The following diagram shows the Policy configuration service provider in tree fo

Most restricted value is 0. - - - @@ -193,9 +190,6 @@ The following diagram shows the Policy configuration service provider in tree fo - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -234,9 +228,6 @@ The following diagram shows the Policy configuration service provider in tree fo

Most restricted value is 0. - - - @@ -278,9 +269,6 @@ The following diagram shows the Policy configuration service provider in tree fo > [!NOTE] > This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md). - - - @@ -319,9 +307,6 @@ The following diagram shows the Policy configuration service provider in tree fo

Most restricted value is 0. - - - @@ -358,9 +343,6 @@ The following diagram shows the Policy configuration service provider in tree fo - 0 – Disabled. - 1 (default) – Manual start. - - - @@ -396,9 +378,6 @@ The following diagram shows the Policy configuration service provider in tree fo

The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov". - - - @@ -413,9 +392,6 @@ If you disable or do not configure this policy setting, ActiveX controls prompt Note: Wild card characters cannot be used when specifying the host URLs. - - - ADMX Info: @@ -432,8 +408,6 @@ ADMX Info: This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. - - ADMX Info: @@ -450,8 +424,6 @@ ADMX Info: Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. - - ADMX Info: @@ -468,8 +440,6 @@ ADMX Info: Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. - - ADMX Info: @@ -486,8 +456,6 @@ ADMX Info: Enables scripts defined in the package manifest of configuration files that should run. - - ADMX Info: @@ -504,8 +472,6 @@ ADMX Info: Enables a UX to display to the user when a publishing refresh is performed on the client. - - ADMX Info: @@ -532,9 +498,6 @@ Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. - - - ADMX Info: @@ -551,8 +514,6 @@ ADMX Info: Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. - - ADMX Info: @@ -569,8 +530,6 @@ ADMX Info: Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. - - ADMX Info: @@ -587,8 +546,6 @@ ADMX Info: Specifies how new packages should be loaded automatically by App-V on a specific computer. - - ADMX Info: @@ -605,8 +562,6 @@ ADMX Info: Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. - - ADMX Info: @@ -623,8 +578,6 @@ ADMX Info: Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. - - ADMX Info: @@ -641,8 +594,6 @@ ADMX Info: Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. - - ADMX Info: @@ -677,9 +628,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -714,9 +662,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -751,9 +696,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -788,9 +730,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -825,9 +764,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -844,8 +780,6 @@ ADMX Info: Specifies the path to a valid certificate in the certificate store. - - ADMX Info: @@ -862,8 +796,6 @@ ADMX Info: This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). - - ADMX Info: @@ -880,8 +812,6 @@ ADMX Info: Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. - - ADMX Info: @@ -898,8 +828,6 @@ ADMX Info: Specifies directory where all new applications and updates will be installed. - - ADMX Info: @@ -916,8 +844,6 @@ ADMX Info: Overrides source location for downloading package content. - - ADMX Info: @@ -934,8 +860,6 @@ ADMX Info: Specifies the number of seconds between attempts to reestablish a dropped session. - - ADMX Info: @@ -952,8 +876,6 @@ ADMX Info: Specifies the number of times to retry a dropped session. - - ADMX Info: @@ -970,8 +892,6 @@ ADMX Info: Specifies that streamed package contents will be not be saved to the local hard disk. - - ADMX Info: @@ -988,8 +908,6 @@ ADMX Info: If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache - - ADMX Info: @@ -1006,8 +924,6 @@ ADMX Info: Verifies Server certificate revocation status before streaming using HTTPS. - - ADMX Info: @@ -1024,8 +940,6 @@ ADMX Info: Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components. - - ADMX Info: @@ -1119,9 +1033,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z ``` - - - @@ -1161,9 +1072,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z

Most restricted value is 0. - - - @@ -1202,9 +1110,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z

Most restricted value is 0. - - - @@ -1244,9 +1149,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z

Most restricted value is 0. - - - @@ -1288,9 +1190,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z

Most restricted value is 0. - - - @@ -1329,9 +1228,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z

Most restricted value is 0. - - - @@ -1370,9 +1266,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z

Most restricted value is 0. - - - @@ -1426,9 +1319,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z

Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies. - - - @@ -1465,9 +1355,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z - 0 (default) – Enable launch of apps. - 1 – Disable launch of apps. - - - @@ -1515,9 +1402,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z

Most restricted value is 1. - - - @@ -1556,9 +1440,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z

Most restricted value is 1. - - - @@ -1597,9 +1478,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z

Most restricted value is 1. - - - @@ -1614,8 +1492,6 @@ If you disable this policy setting, Windows marks file attachments with their zo If you do not configure this policy setting, Windows marks file attachments with their zone information. - - ADMX Info: @@ -1638,8 +1514,6 @@ If you disable this policy setting, Windows shows the check box and Unblock butt If you do not configure this policy setting, Windows hides the check box and Unblock button. - - ADMX Info: @@ -1662,8 +1536,6 @@ If you disable this policy setting, Windows does not call the registered antivir If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. - - ADMX Info: @@ -1719,9 +1591,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -1760,9 +1629,6 @@ ADMX Info:

Most restricted value is 0. - - - @@ -1801,9 +1667,6 @@ ADMX Info:

The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD). - - - @@ -1816,8 +1679,6 @@ If you enable this policy setting, AutoPlay is not allowed for MTP devices like If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. - - ADMX Info: @@ -1847,8 +1708,6 @@ b) Revert back to pre-Windows Vista behavior of automatically executing the auto If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. - - ADMX Info: @@ -1879,8 +1738,6 @@ If you disable or do not configure this policy setting, AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. - - ADMX Info: @@ -1927,9 +1784,6 @@ ADMX Info: - 6 -XTS 128 - 7 - XTS 256 - - - @@ -1970,9 +1824,6 @@ ADMX Info:

Most restricted value is 0. - - - @@ -2013,9 +1864,6 @@ ADMX Info:

Most restricted value is 0. - - - @@ -2052,9 +1900,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default)– Allowed. - - - @@ -2090,9 +1935,6 @@ ADMX Info:

If this policy is not set or it is deleted, the default local radio name is used. - - - @@ -2126,9 +1968,6 @@ ADMX Info:

The default value is an empty string. - - - @@ -2147,9 +1986,6 @@ ADMX Info:

Most restricted value is 0. - - - @@ -2195,9 +2031,6 @@ ADMX Info: 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Save form entries** is greyed out. - - - @@ -2242,9 +2075,6 @@ ADMX Info:

When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator. - - - @@ -2290,9 +2120,6 @@ ADMX Info: 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Cookies** is greyed out. - - - @@ -2335,9 +2162,6 @@ ADMX Info:

Most restricted value is 0. - - - @@ -2383,9 +2207,6 @@ ADMX Info: 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Send Do Not Track requests** is greyed out. - - - @@ -2422,9 +2243,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -2461,9 +2279,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -2500,9 +2315,6 @@ ADMX Info: - 0 – Adobe Flash content is automatically loaded and run by Microsoft Edge. - 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. - - - @@ -2541,9 +2353,6 @@ ADMX Info:

Most restricted value is 0. - - - @@ -2562,9 +2371,6 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis

Most restricted value is 0. - - - @@ -2610,9 +2416,6 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out. - - - @@ -2658,9 +2461,6 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Block pop-ups** is greyed out. - - - @@ -2678,9 +2478,6 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis

Most restricted value is 0. - - - @@ -2719,9 +2516,6 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis

Most restricted value is 0. - - - @@ -2767,9 +2561,6 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out. - - - @@ -2791,9 +2582,6 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis 2. Close the Microsoft Edge window. 3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history. - - - @@ -2817,9 +2605,6 @@ Employees cannot remove these search engines, but they can set any one as the de

Most restricted value is 0. - - - @@ -2841,9 +2626,6 @@ Employees cannot remove these search engines, but they can set any one as the de

Most restricted value is 0. - - - @@ -2884,9 +2666,6 @@ Employees cannot remove these search engines, but they can set any one as the de - Not configured. The device checks for updates from Microsoft Update. - Set to a URL location of the enterprise site list. - - - @@ -2919,9 +2698,6 @@ Employees cannot remove these search engines, but they can set any one as the de > [!IMPORTANT] > This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist). - - - @@ -2961,9 +2737,6 @@ Employees cannot remove these search engines, but they can set any one as the de

The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”. - - - @@ -3005,10 +2778,6 @@ Employees cannot remove these search engines, but they can set any one as the de > [!NOTE] > Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings. - - - - @@ -3045,9 +2814,6 @@ Employees cannot remove these search engines, but they can set any one as the de - 0 (default) – Users can access the about:flags page in Microsoft Edge. - 1 – Users can't access the about:flags page in Microsoft Edge. - - - @@ -3063,9 +2829,6 @@ Employees cannot remove these search engines, but they can set any one as the de

Most restricted value is 1. - - - @@ -3081,9 +2844,6 @@ Employees cannot remove these search engines, but they can set any one as the de

Most restricted value is 1. - - - @@ -3122,9 +2882,6 @@ Employees cannot remove these search engines, but they can set any one as the de

Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site. - - - @@ -3161,9 +2918,6 @@ Employees cannot remove these search engines, but they can set any one as the de - 0 (default) – Off. - 1 – On. - - - @@ -3204,9 +2958,6 @@ Employees cannot remove these search engines, but they can set any one as the de - 0 (default) – The localhost IP address is shown. - 1 – The localhost IP address is hidden. - - - @@ -3249,9 +3000,6 @@ Employees cannot remove these search engines, but they can set any one as the de

Most restricted value is 0. - - - @@ -3274,9 +3022,6 @@ Employees cannot remove these search engines, but they can set any one as the de

Most restricted value is 0. - - - @@ -3319,9 +3064,6 @@ Employees cannot remove these search engines, but they can set any one as the de

Most restricted value is 0. - - - @@ -3371,9 +3113,6 @@ Employees cannot remove these search engines, but they can set any one as the de

  • Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge. - - - @@ -3412,9 +3151,6 @@ Employees cannot remove these search engines, but they can set any one as the de

    Most restricted value is 0. - - - @@ -3460,9 +3196,6 @@ Employees cannot remove these search engines, but they can set any one as the de

    Most restricted value is 0. - - - @@ -3500,9 +3233,6 @@ Employees cannot remove these search engines, but they can set any one as the de - 1 (default) – Allow the cellular data channel. The user can turn it off. - 2 - Allow the cellular data channel. The user cannot turn it off. - - - @@ -3550,9 +3280,6 @@ Employees cannot remove these search engines, but they can set any one as the de 2. Click on the SIM (next to the signal strength icon) and select **Properties**. 3. On the Properties page, select **Data roaming options**. - - - @@ -3592,9 +3319,6 @@ Employees cannot remove these search engines, but they can set any one as the de - 1 (default) - Allow (CDP service available). - 0 - Disable (CDP service not available). - - - @@ -3637,9 +3361,6 @@ Employees cannot remove these search engines, but they can set any one as the de

    Most restricted value is 0. - - - @@ -3684,9 +3405,6 @@ Employees cannot remove these search engines, but they can set any one as the de

    Most restricted value is 0. - - - @@ -3725,9 +3443,6 @@ Employees cannot remove these search engines, but they can set any one as the de

    Most restricted value is 0. - - - @@ -3766,9 +3481,6 @@ Employees cannot remove these search engines, but they can set any one as the de

    Most restricted value is 0. - - - @@ -3779,9 +3491,6 @@ This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. - - - ADMX Info: @@ -3806,8 +3515,6 @@ Note: The user's domain password will be cached in the system vault when using t To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. - - ADMX Info: @@ -3830,8 +3537,6 @@ If you disable or don't configure this policy setting, a domain user can set up Note that the user's domain password will be cached in the system vault when using this feature. - - ADMX Info: @@ -3856,8 +3561,6 @@ By default, the password reveal button is displayed after a user types a passwor The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. - - ADMX Info: @@ -3878,8 +3581,6 @@ If you enable this policy setting, all local administrator accounts on the PC wi If you disable this policy setting, users will always be required to type a user name and password to elevate. - - ADMX Info: @@ -3924,9 +3625,6 @@ ADMX Info: - 0 (default) – Not allowed. - 1– Allowed. - - - @@ -3958,9 +3656,6 @@ ADMX Info:

    Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. - - - @@ -3999,9 +3694,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -4040,10 +3732,6 @@ ADMX Info: > [!NOTE] > This policy is not recommended for use in Windows 10. - - - - @@ -4062,9 +3750,6 @@ If this policy setting is enabled, a drop-down list box presenting possible cost If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. - - - ADMX Info: @@ -4091,9 +3776,6 @@ If this policy setting is enabled, a drop-down list box presenting possible cost If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. - - - ADMX Info: @@ -4142,9 +3824,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -4185,9 +3864,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -4228,9 +3904,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -4271,9 +3944,6 @@ ADMX Info: - 0 (default) – Not allowed. - 1 – Allowed. - - - @@ -4314,9 +3984,6 @@ ADMX Info: - 0 (default) – Not allowed. - 1 – Allowed. - - - @@ -4357,9 +4024,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -4400,9 +4064,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -4443,9 +4104,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -4486,9 +4144,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -4529,9 +4184,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -4572,9 +4224,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -4615,9 +4264,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -4658,9 +4304,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -4700,9 +4343,6 @@ ADMX Info:

    The default value is 50. - - - @@ -4742,9 +4382,6 @@ ADMX Info:

    The default value is 0, which keeps items in quarantine, and does not automatically remove them. - - - @@ -4780,9 +4417,6 @@ ADMX Info:  

    llows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj". - - - @@ -4818,9 +4452,6 @@ ADMX Info:

    Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1". - - - @@ -4862,9 +4493,6 @@ ADMX Info:  

    Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe". - - - @@ -4906,9 +4534,6 @@ ADMX Info: - 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats. - 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. - - - @@ -4954,9 +4579,6 @@ ADMX Info: - 1 – Monitor incoming files. - 2 – Monitor outgoing files. - - - @@ -4997,9 +4619,6 @@ ADMX Info: - 1 (default) – Quick scan - 2 – Full scan - - - @@ -5045,9 +4664,6 @@ ADMX Info:

    The default value is 120 - - - @@ -5099,9 +4715,6 @@ ADMX Info: - 7 – Sunday - 8 – No scheduled scan - - - @@ -5147,9 +4760,6 @@ ADMX Info:

    The default value is 120. - - - @@ -5191,9 +4801,6 @@ ADMX Info:

    The default value is 8. - - - @@ -5236,9 +4843,6 @@ ADMX Info: - 2 – Never send. - 3 – Send all samples automatically. - - - @@ -5292,9 +4896,6 @@ ADMX Info: - 8 – User defined - 10 – Block - - - @@ -5332,9 +4933,6 @@ ADMX Info:

    The default value is 10. - - - @@ -5372,9 +4970,6 @@ ADMX Info:

    The default value is 0 (FALSE). - - - @@ -5419,9 +5014,6 @@ ADMX Info: - 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. - 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. - - - @@ -5460,10 +5052,6 @@ ADMX Info: > [!NOTE] > You must use a GUID as the group ID. - - - - @@ -5501,9 +5089,6 @@ ADMX Info:

    The default value is 259200 seconds (3 days). - - - @@ -5541,9 +5126,6 @@ ADMX Info:

    The default value is 20. - - - @@ -5581,9 +5163,6 @@ ADMX Info:

    The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. - - - @@ -5621,9 +5200,6 @@ ADMX Info:

    The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth). - - - @@ -5661,9 +5237,6 @@ ADMX Info:

    The default value is 500. - - - @@ -5700,9 +5273,6 @@ ADMX Info:

    The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used. - - - @@ -5743,10 +5313,6 @@ ADMX Info:

    The default value is 32 GB. - - - - @@ -5784,10 +5350,6 @@ ADMX Info:

    The default value is 100 MB. - - - - @@ -5825,9 +5387,6 @@ ADMX Info:

    The default value is 4 GB. - - - @@ -5865,9 +5424,6 @@ ADMX Info:

    By default, %SystemDrive% is used to store the cache. - - - @@ -5907,9 +5463,6 @@ ADMX Info:

    The default value is 20. - - - @@ -5947,9 +5500,6 @@ ADMX Info:

    The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. - - - @@ -5962,8 +5512,6 @@ By default, a user can change the location of their individual profile folders l If you enable this setting, users are unable to type a new location in the Target box. - - ADMX Info: @@ -5984,8 +5532,6 @@ If you enable this policy setting, Windows is prevented from installing a device If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. - - ADMX Info: @@ -6006,8 +5552,6 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. - - ADMX Info: @@ -6060,9 +5604,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -6110,10 +5651,6 @@ ADMX Info: > [!IMPORTANT] > If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period. - - - - @@ -6156,9 +5693,6 @@ ADMX Info:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - @@ -6209,8 +5743,6 @@ ADMX Info:   - - @@ -6287,9 +5819,6 @@ ADMX Info: > - MaxDevicePasswordFailedAttempts > - MaxInactivityTimeDeviceLock - - - @@ -6334,9 +5863,6 @@ ADMX Info:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - @@ -6383,9 +5909,6 @@ ADMX Info:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - @@ -6423,9 +5946,6 @@ ADMX Info:

    Value type is a string, which is the full image filepath and filename. - - - @@ -6463,9 +5983,6 @@ ADMX Info:

    Value type is a string, which is the AppID. - - - @@ -6517,9 +6034,6 @@ The number of authentication failures allowed before the device will be wiped. A

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - @@ -6562,9 +6076,6 @@ The number of authentication failures allowed before the device will be wiped. A

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - @@ -6605,9 +6116,6 @@ The number of authentication failures allowed before the device will be wiped. A - An integer X where 0 <= X <= 999. - 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." - - - @@ -6710,9 +6218,6 @@ The number of authentication failures allowed before the device will be wiped. A

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - @@ -6760,9 +6265,6 @@ The number of authentication failures allowed before the device will be wiped. A

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - @@ -6775,8 +6277,6 @@ By default, users can enable a slide show that will run after they lock the mach If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start. - - ADMX Info: @@ -6827,9 +6327,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -6874,9 +6371,6 @@ ADMX Info: 1. Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms. 2. Run the app and observe blurry text. - - - @@ -6921,9 +6415,6 @@ ADMX Info: 1. Configure the setting for an app which uses GDI. 2. Run the app and observe crisp text. - - - @@ -6959,9 +6450,6 @@ ADMX Info:

    The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs". - - - @@ -6997,9 +6485,6 @@ ADMX Info:

    The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714". - - - @@ -7035,9 +6520,6 @@ ADMX Info:

    The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint". - - - @@ -7073,9 +6555,6 @@ ADMX Info:

    The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com". - - - @@ -7111,9 +6590,6 @@ ADMX Info:

    For Windows Mobile, the default value is 20. - - - @@ -7149,9 +6625,6 @@ ADMX Info:

    The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint". - - - @@ -7174,8 +6647,6 @@ If you enable this policy setting, you can add specific event types to a list by If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. - - ADMX Info: @@ -7196,8 +6667,6 @@ If you enable this policy setting, Windows Error Reporting does not send any pro If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. - - ADMX Info: @@ -7222,8 +6691,6 @@ If you do not configure this policy setting, users can change this setting in Co See also the Configure Error Reporting policy setting. - - ADMX Info: @@ -7244,8 +6711,6 @@ If you enable this policy setting, any additional data requests from Microsoft i If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. - - ADMX Info: @@ -7266,8 +6731,6 @@ If you enable this policy setting, Windows Error Reporting does not display any If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors. - - ADMX Info: @@ -7290,8 +6753,6 @@ If you disable or do not configure this policy setting and a log file reaches it Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. - - ADMX Info: @@ -7312,8 +6773,6 @@ If you enable this policy setting, you can configure the maximum log file size t If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - ADMX Info: @@ -7334,8 +6793,6 @@ If you enable this policy setting, you can configure the maximum log file size t If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - ADMX Info: @@ -7356,8 +6813,6 @@ If you enable this policy setting, you can configure the maximum log file size t If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - ADMX Info: @@ -7407,9 +6862,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -7456,9 +6908,6 @@ ADMX Info:

    An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more. - - - @@ -7499,9 +6948,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -7544,9 +6990,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -7587,9 +7030,6 @@ ADMX Info: - 0 – SIM card dialog prompt is not displayed. - 1 (default) – SIM card dialog prompt is displayed. - - - @@ -7632,9 +7072,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -7671,9 +7108,6 @@ ADMX Info: - 0 – Sync settings is not allowed. - 1 (default) – Sync settings allowed. - - - @@ -7696,9 +7130,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -7739,9 +7170,6 @@ ADMX Info: - 0 – Task switching not allowed. - 1 (default) – Task switching allowed. - - - @@ -7782,9 +7210,6 @@ ADMX Info: - 0 – Third-party suggestions not allowed. - 1 (default) – Third-party suggestions allowed. - - - @@ -7827,9 +7252,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -7879,9 +7301,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -7924,9 +7343,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -7945,9 +7361,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -7967,9 +7380,6 @@ The Windows welcome experience feature introduces onboard users to Windows; for

    Most restricted value is 0. - - - @@ -8006,9 +7416,6 @@ Enables or disables Windows Tips / soft landing. - 0 – Disabled. - 1 (default) – Enabled. - - - @@ -8050,9 +7457,6 @@ Enables or disables Windows Tips / soft landing. - 1 (default) – Windows spotlight enabled. - 2 – placeholder only for future extension. Using this value has no effect. - - - @@ -8093,9 +7497,6 @@ Enables or disables Windows Tips / soft landing. - 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. - 1 – Feedback notifications are disabled. - - - @@ -8104,9 +7505,6 @@ Enables or disables Windows Tips / soft landing.

    Placeholder only. Currently not supported. - - - @@ -8119,8 +7517,6 @@ If you enable this policy setting, the user can add and remove search providers, If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. - - ADMX Info: @@ -8141,8 +7537,6 @@ If you enable this policy setting, ActiveX Filtering is enabled by default for t If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. - - ADMX Info: @@ -8169,8 +7563,6 @@ Value - A number indicating whether Internet Explorer should deny or allow the a If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. - - ADMX Info: @@ -8193,8 +7585,6 @@ If you disable this policy setting, Enhanced Protected Mode will be turned off. If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. - - ADMX Info: @@ -8215,8 +7605,6 @@ If you turn this setting on, users can see and use the Enterprise Mode option fr If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. - - ADMX Info: @@ -8237,8 +7625,6 @@ If you enable this policy setting, Internet Explorer downloads the website list If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. - - ADMX Info: @@ -8259,8 +7645,6 @@ If you enable this policy setting, the user can add and remove sites from the li If you disable or do not configure this policy setting, the user can add and remove sites from the list. - - ADMX Info: @@ -8282,8 +7666,6 @@ If you disable this policy setting, Internet Explorer uses an Internet Explorer If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. - - ADMX Info: @@ -8310,8 +7692,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -8338,8 +7718,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -8366,8 +7744,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -8394,8 +7770,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -8422,8 +7796,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -8450,8 +7822,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -8478,8 +7848,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -8500,8 +7868,6 @@ If you enable this policy setting, Internet Explorer goes directly to an intrane If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. - - ADMX Info: @@ -8528,8 +7894,6 @@ Value - A number indicating the zone with which this site should be associated f If you disable or do not configure this policy, users may choose their own site-to-zone assignments. - - ADMX Info: @@ -8552,8 +7916,6 @@ If you disable this policy setting, the entry points and functionality associate If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. - - ADMX Info: @@ -8580,8 +7942,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -8608,8 +7968,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -8635,8 +7993,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -8659,8 +8015,6 @@ If you disable, or do not configure this policy setting, Flash is turned on for Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. - - ADMX Info: @@ -8681,8 +8035,6 @@ If you enable this policy setting, SmartScreen Filter warnings block the user. If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. - - ADMX Info: @@ -8703,8 +8055,6 @@ If you enable this policy setting, SmartScreen Filter warnings block the user. If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. - - ADMX Info: @@ -8727,8 +8077,6 @@ If you disable this policy setting, the user must participate in the CEIP, and t If you do not configure this policy setting, the user can choose to participate in the CEIP. - - ADMX Info: @@ -8749,8 +8097,6 @@ If you enable this policy setting, the user cannot set the Feed Sync Engine to d If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. - - ADMX Info: @@ -8773,8 +8119,6 @@ If you disable or do not configure this policy setting, the user can select whic Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. - - ADMX Info: @@ -8799,8 +8143,6 @@ Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not avail If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. - - ADMX Info: @@ -8825,8 +8167,6 @@ If you disable this policy setting, flip ahead with page prediction is turned on If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. - - ADMX Info: @@ -8847,8 +8187,6 @@ If you enable this policy setting, a user cannot set a custom default home page. If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. - - ADMX Info: @@ -8869,8 +8207,6 @@ If you enable this policy setting, the user will not be able to configure proxy If you disable or do not configure this policy setting, the user can configure proxy settings. - - ADMX Info: @@ -8891,8 +8227,6 @@ If you enable this policy setting, the user cannot change the default search pro If you disable or do not configure this policy setting, the user can change the default search provider. - - ADMX Info: @@ -8915,8 +8249,6 @@ If you disable or do not configure this policy setting, the user can add seconda Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages. - - ADMX Info: @@ -8939,8 +8271,6 @@ If you disable this policy or do not configure it, Internet Explorer checks ever This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. - - ADMX Info: @@ -8967,8 +8297,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Ad Also, see the "Security zones: Use only machine settings" policy. - - ADMX Info: @@ -8995,8 +8323,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Adm Also, see the "Security zones: Use only machine settings" policy. - - ADMX Info: @@ -9019,8 +8345,6 @@ If you disable or don't configure this policy setting, Internet Explorer continu For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. - - ADMX Info: @@ -9047,8 +8371,6 @@ If you disable or don't configure this policy setting, the list is deleted and I For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. - - ADMX Info: @@ -9071,8 +8393,6 @@ If you disable this policy setting, local sites which are not explicitly mapped If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. - - ADMX Info: @@ -9095,8 +8415,6 @@ If you disable this policy setting, network paths are not necessarily mapped int If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. - - ADMX Info: @@ -9119,8 +8437,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -9143,8 +8459,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -9165,8 +8479,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -9189,8 +8501,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -9213,8 +8523,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. - - ADMX Info: @@ -9237,8 +8545,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - ADMX Info: @@ -9261,8 +8567,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -9287,8 +8591,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -9311,8 +8613,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -9337,8 +8637,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -9361,8 +8659,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -9385,8 +8681,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -9409,8 +8703,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - ADMX Info: @@ -9431,8 +8723,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - ADMX Info: @@ -9455,8 +8745,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -9479,8 +8767,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. - - ADMX Info: @@ -9503,8 +8789,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - ADMX Info: @@ -9527,8 +8811,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -9553,8 +8835,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -9577,8 +8857,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -9603,8 +8881,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -9627,8 +8903,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -9651,8 +8925,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -9675,8 +8947,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - ADMX Info: @@ -9697,8 +8967,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - ADMX Info: @@ -9721,8 +8989,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -9745,8 +9011,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -9769,8 +9033,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -9793,8 +9055,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -9819,8 +9079,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -9843,8 +9101,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -9869,8 +9125,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. - - ADMX Info: @@ -9893,8 +9147,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -9917,8 +9169,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -9941,8 +9191,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -9963,8 +9211,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -9987,8 +9233,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -10011,8 +9255,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -10035,8 +9277,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -10059,8 +9299,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -10085,8 +9323,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -10109,8 +9345,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -10135,8 +9369,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -10159,8 +9391,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -10183,8 +9413,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -10207,8 +9435,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -10229,8 +9455,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -10253,8 +9477,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -10277,8 +9499,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -10301,8 +9521,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -10325,8 +9543,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -10351,8 +9567,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -10375,8 +9589,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -10401,8 +9613,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -10425,8 +9635,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -10449,8 +9657,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -10473,8 +9679,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -10495,8 +9699,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -10519,8 +9721,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -10543,8 +9743,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -10567,8 +9765,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -10591,8 +9787,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -10617,8 +9811,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -10641,8 +9833,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -10667,8 +9857,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -10691,8 +9879,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -10715,8 +9901,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -10739,8 +9923,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -10761,8 +9943,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -10785,8 +9965,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. - - ADMX Info: @@ -10809,8 +9987,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -10833,8 +10009,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -10857,8 +10031,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -10883,8 +10055,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -10907,8 +10077,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -10933,8 +10101,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -10957,8 +10123,6 @@ If you disable this policy setting, users cannot open other windows and frames f If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. - - ADMX Info: @@ -10981,8 +10145,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -11005,8 +10167,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -11027,8 +10187,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -11051,8 +10209,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -11075,8 +10231,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -11099,8 +10253,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -11123,8 +10275,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -11149,8 +10299,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -11173,8 +10321,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -11199,8 +10345,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -11223,8 +10367,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -11247,8 +10389,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -11271,8 +10411,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -11293,8 +10431,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -11317,8 +10453,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. - - ADMX Info: @@ -11341,8 +10475,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -11365,8 +10497,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -11389,8 +10519,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -11415,8 +10543,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -11439,8 +10565,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -11465,8 +10589,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -11489,8 +10611,6 @@ If you disable this policy setting, users cannot open other windows and frames f If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. - - ADMX Info: @@ -11511,8 +10631,6 @@ If you enable this policy setting, the user cannot configure the list of search If you disable or do not configure this policy setting, the user can configure his or her list of search providers. - - ADMX Info: @@ -11535,8 +10653,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -11559,8 +10675,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - ADMX Info: @@ -11581,8 +10695,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - ADMX Info: @@ -11605,8 +10717,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -11629,8 +10739,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. - - ADMX Info: @@ -11653,8 +10761,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - ADMX Info: @@ -11677,8 +10783,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -11703,8 +10807,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -11727,8 +10829,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -11753,8 +10853,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. - - ADMX Info: @@ -11777,8 +10875,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -11799,8 +10895,6 @@ If you enable this policy setting, the Kerberos client searches the forests in t If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. - - ADMX Info: @@ -11819,9 +10913,6 @@ If you enable this policy setting, the client computers will request claims, pro If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. - - - ADMX Info: @@ -11846,9 +10937,6 @@ Note: The Kerberos Group Policy "Kerberos client support for claims, compound au If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. - - - ADMX Info: @@ -11869,9 +10957,6 @@ If you enable this policy setting, the Kerberos client requires that the KDC's X If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. - - - ADMX Info: @@ -11896,10 +10981,6 @@ If you disable or do not configure this policy setting, the Kerberos client or s Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. - - - - ADMX Info: @@ -11944,9 +11025,6 @@ ADMX Info: - 0 – Disable Windows license reactivation on managed devices. - 1 (default) – Enable Windows license reactivation on managed devices. - - - @@ -11983,9 +11061,6 @@ ADMX Info: - 0 (default) – Disabled. - 1 – Enabled. - - - @@ -12030,9 +11105,6 @@ ADMX Info: 1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected. 2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained. - - - @@ -12071,9 +11143,6 @@ ADMX Info:

    The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled. - - - @@ -12113,9 +11182,6 @@ ADMX Info:

    After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. - - - @@ -12155,9 +11221,6 @@ ADMX Info:

    After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. - - - @@ -12174,9 +11237,6 @@ ADMX Info: - 0 - Disabled. - 1 (default) - Enabled. - - - @@ -12213,9 +11273,6 @@ ADMX Info: - 0 - message sync is not allowed and cannot be changed by the user. - 1 - message sync is allowed. The user can change this setting. - - - @@ -12232,9 +11289,6 @@ ADMX Info: - 0 - Disabled. - 1 (default) - Enabled. - - - @@ -12266,9 +11320,6 @@ ADMX Info:

    Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**. - - - @@ -12309,9 +11360,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ``` - - - @@ -12343,9 +11391,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

    Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. - - - @@ -12377,9 +11422,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

    This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies. - - - @@ -12421,9 +11463,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. 3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). - - - @@ -12455,9 +11494,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

    This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". - - - @@ -12489,9 +11525,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

    Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies. - - - @@ -12523,9 +11556,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

    List of domain names that can used for work or personal resource. - - - @@ -12566,9 +11596,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - 0 (default)– enable notification mirroring. - 1 – disable notification mirroring. - - - @@ -12581,8 +11608,6 @@ If you enable or do not configure this policy setting, Windows uses standby stat If you disable this policy setting, standby states (S1-S3) are not allowed. - - ADMX Info: @@ -12603,8 +11628,6 @@ If you enable or do not configure this policy setting, the user is prompted for If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. - - ADMX Info: @@ -12625,8 +11648,6 @@ If you enable or do not configure this policy setting, the user is prompted for If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. - - ADMX Info: @@ -12660,8 +11681,6 @@ If you disable this policy setting: -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). - - ADMX Info: @@ -12695,8 +11714,6 @@ If you disable this policy setting: -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). - - ADMX Info: @@ -12718,8 +11735,6 @@ If you disable this setting, this computer's shared printers cannot be published Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory". - - ADMX Info: @@ -12766,9 +11781,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -12808,8 +11820,6 @@ ADMX Info:

    Most restricted value is 0.   - - @@ -12849,9 +11859,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -12891,9 +11898,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -12925,9 +11929,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - @@ -12959,9 +11960,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - @@ -12993,9 +11991,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - @@ -13035,9 +12030,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -13069,9 +12061,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - @@ -13103,9 +12092,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - @@ -13137,9 +12123,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - @@ -13179,9 +12162,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -13213,9 +12193,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - @@ -13247,9 +12224,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - @@ -13281,9 +12255,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - @@ -13323,9 +12294,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -13357,9 +12325,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - @@ -13391,9 +12356,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - @@ -13425,9 +12387,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - @@ -13467,9 +12426,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -13501,9 +12457,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - @@ -13535,9 +12488,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - @@ -13569,9 +12519,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - @@ -13611,9 +12558,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -13645,9 +12589,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - @@ -13679,9 +12620,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - @@ -13713,9 +12651,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - @@ -13755,9 +12690,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -13789,9 +12721,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - @@ -13823,9 +12752,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - @@ -13857,9 +12783,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - @@ -13899,9 +12822,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -13933,9 +12853,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - @@ -13967,9 +12884,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - @@ -14001,9 +12915,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - @@ -14043,9 +12954,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -14077,9 +12985,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - @@ -14111,9 +13016,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - @@ -14145,9 +13047,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - @@ -14187,9 +13086,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -14221,9 +13117,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - @@ -14255,9 +13148,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - @@ -14289,9 +13179,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - @@ -14331,9 +13218,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -14365,9 +13249,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - @@ -14399,9 +13280,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - @@ -14433,9 +13311,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - @@ -14475,9 +13350,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -14509,9 +13381,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - @@ -14543,9 +13412,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - @@ -14577,9 +13443,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - @@ -14619,9 +13482,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -14653,9 +13513,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - @@ -14687,9 +13544,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - @@ -14721,9 +13575,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - @@ -14755,9 +13606,6 @@ ADMX Info:

    Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. - - - @@ -14789,9 +13637,6 @@ ADMX Info:

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - @@ -14823,9 +13668,6 @@ ADMX Info:

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - @@ -14857,9 +13699,6 @@ ADMX Info:

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - @@ -14899,9 +13738,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -14933,9 +13769,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - @@ -14967,9 +13800,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - @@ -15001,9 +13831,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - @@ -15043,9 +13870,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -15077,9 +13901,6 @@ ADMX Info:

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - @@ -15111,9 +13932,6 @@ ADMX Info:

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - @@ -15145,9 +13963,6 @@ ADMX Info:

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - @@ -15189,9 +14004,6 @@ ADMX Info: > [!WARNING] > Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. - - - @@ -15223,9 +14035,6 @@ ADMX Info:

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - @@ -15257,9 +14066,6 @@ ADMX Info:

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - @@ -15291,9 +14097,6 @@ ADMX Info:

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - @@ -15333,9 +14136,6 @@ ADMX Info:

    Most restricted value is 2. - - - @@ -15367,9 +14167,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - @@ -15401,9 +14198,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - @@ -15435,9 +14229,6 @@ ADMX Info:

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - @@ -15456,8 +14247,6 @@ If you disable this policy setting, the user sees the default warning message. If you do not configure this policy setting, the user sees the default warning message. - - ADMX Info: @@ -15480,8 +14269,6 @@ If you disable this policy setting, log files are not generated. If you do not configure this setting, application-based settings are used. - - ADMX Info: @@ -15512,8 +14299,6 @@ The "Select the method for sending email invitations" setting specifies which em If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. - - ADMX Info: @@ -15567,8 +14352,6 @@ Port 135:TCP %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe Allow Remote Desktop Exception - - ADMX Info: @@ -15594,9 +14377,6 @@ Note: You can limit which clients are able to connect remotely by using Remote D You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. - - - ADMX Info: @@ -15627,9 +14407,6 @@ Important FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. - - - ADMX Info: @@ -15654,9 +14431,6 @@ If you disable this policy setting, client drive redirection is always allowed. If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. - - - ADMX Info: @@ -15677,8 +14451,6 @@ If you enable this setting the password saving checkbox in Remote Desktop Connec If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection. - - ADMX Info: @@ -15705,9 +14477,6 @@ If you disable this policy setting, users can always log on to Remote Desktop Se If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. - - - ADMX Info: @@ -15734,8 +14503,6 @@ If the status is set to Not Configured, unsecured communication is allowed. Note: The RPC interface is used for administering and configuring Remote Desktop Services. - - ADMX Info: @@ -15760,8 +14527,6 @@ If you do not configure this policy setting, it remains disabled. RPC clients w Note: This policy will not be applied until the system is rebooted. - - ADMX Info: @@ -15794,8 +14559,6 @@ If you enable this policy setting, it directs the RPC server runtime to restrict Note: This policy setting will not be applied until the system is rebooted. - - ADMX Info: @@ -15846,9 +14609,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -15887,9 +14647,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -15928,9 +14685,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -15969,9 +14723,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -16008,9 +14759,6 @@ ADMX Info: - 0 (default) – Disable. - 1 – Enable. - - - @@ -16051,9 +14799,6 @@ ADMX Info: - 0 (default) – Disable. - 1 – Enable. - - - @@ -16094,9 +14839,6 @@ ADMX Info: - 0 – Disable. - 1 (default) – Enable. - - - @@ -16133,9 +14875,6 @@ ADMX Info: - 0 – Disable. - 1 (default) – Enable. - - - @@ -16178,9 +14917,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -16217,9 +14953,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -16265,9 +14998,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -16310,9 +15040,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -16349,9 +15076,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -16392,9 +15116,6 @@ ADMX Info: - 0 – Don't allow Anti Theft Mode. - 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent). - - - @@ -16437,9 +15158,6 @@ ADMX Info: - 0 (default) – Encryption enabled. - 1 – Encryption disabled. - - - @@ -16484,10 +15202,6 @@ ADMX Info: > [!IMPORTANT] > If encryption has been enabled, it cannot be turned off by using this policy. - - - - @@ -16524,9 +15238,6 @@ ADMX Info: - 0 (default) – Not required. - 1 – Required. - - - @@ -16574,9 +15285,6 @@ ADMX Info:

    Most restricted value is 1. - - - @@ -16620,10 +15328,6 @@ ADMX Info: > [!NOTE] > Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected. - - - - @@ -16660,9 +15364,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -16699,9 +15400,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -16738,9 +15436,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -16781,9 +15476,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -16824,9 +15516,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -16867,9 +15556,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -16910,9 +15596,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -16949,9 +15632,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -16992,9 +15672,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -17031,9 +15708,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -17072,9 +15746,6 @@ ADMX Info: - 2 - Simplified Chinese (Lunar). - 3 - Traditional Chinese (Lunar). - - - @@ -17136,9 +15807,6 @@ ADMX Info: 2. Configure the policy with the following string: "hide:about". 3. Open System Settings again and verify that the About page is no longer accessible. - - - @@ -17175,9 +15843,6 @@ ADMX Info: - 0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. - 1 – Turns on Application Installation Control, allowing users to only install apps from the Store. - - - @@ -17214,9 +15879,6 @@ ADMX Info: - 0 – Turns off SmartScreen in Windows. - 1 – Turns on SmartScreen in Windows. - - - @@ -17253,9 +15915,6 @@ ADMX Info: - 0 – Employees can ignore SmartScreen warnings and run malicious files. - 1 – Employees cannot ignore SmartScreen warnings and run malicious files. - - - @@ -17292,9 +15951,6 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - @@ -17338,9 +15994,6 @@ ADMX Info:

    If there is policy configuration conflict, the latest configuration request is applied to the device. - - - @@ -17366,9 +16019,6 @@ ADMX Info: - 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out. - 2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out. - - - @@ -17387,9 +16037,6 @@ ADMX Info: 1. Enable policy. 2. Open Start, click on the user tile, and verify that "Change account settings" is not available. - - - @@ -17415,9 +16062,6 @@ ADMX Info: 5. Check that "Show most used apps" Settings toggle is grayed out. 6. Check that most used apps do not appear in Start. - - - @@ -17439,9 +16083,6 @@ ADMX Info: > [!NOTE] > This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's. - - - @@ -17460,9 +16101,6 @@ ADMX Info: 1. Enable policy. 2. Open Start, click on the user tile, and verify "Lock" is not available. - - - @@ -17484,9 +16122,6 @@ ADMX Info: 1. Enable policy. 2. Open Start, and verify the power button is not available. - - - @@ -17515,9 +16150,6 @@ ADMX Info: 8. Repeat Step 2. 9. Right Click pinned photos app and verify that there is no jumplist of recent items. - - - @@ -17543,9 +16175,6 @@ ADMX Info: 5. Check that "Show recently added apps" Settings toggle is grayed out. 6. Check that recently added apps do not appear in Start. - - - @@ -17564,9 +16193,6 @@ ADMX Info: 1. Enable policy. 2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available. - - - @@ -17585,9 +16211,6 @@ ADMX Info: 1. Enable policy. 2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available. - - - @@ -17606,9 +16229,6 @@ ADMX Info: 1. Enable policy. 2. Open Start, click on the user tile, and verify "Sign out" is not available. - - - @@ -17627,9 +16247,6 @@ ADMX Info: 1. Enable policy. 2. Open Start, click on the Power button, and verify that "Sleep" is not available. - - - @@ -17648,9 +16265,6 @@ ADMX Info: 1. Enable policy. 2. Open Start, click on the user tile, and verify that "Switch account" is not available. - - - @@ -17673,9 +16287,6 @@ ADMX Info: 2. Log off. 3. Log in, and verify that the user tile is gone from Start. - - - @@ -17699,9 +16310,6 @@ ADMX Info: 3. Sign out/in. 4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path. - - - @@ -17723,9 +16331,6 @@ ADMX Info: 4. Open Start and right click on one of the app list icons. 5. Verify that More->Pin to taskbar menu does not show. - - - @@ -17770,9 +16375,6 @@ ADMX Info:

    This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic. - - - @@ -17785,8 +16387,6 @@ If you enable this policy setting, Windows will not activate unactivated Enhance If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. - - ADMX Info: @@ -17838,9 +16438,6 @@ ADMX Info: - 1 – Allowed. Users can make their devices available for downloading and installing preview software. - 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. - - - @@ -17879,9 +16476,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -17924,9 +16518,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -17974,9 +16565,6 @@ ADMX Info: - After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. - - - @@ -18022,9 +16610,6 @@ ADMX Info:

    For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. - - - @@ -18063,9 +16648,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -18159,9 +16741,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -18200,9 +16779,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -18211,8 +16787,6 @@ ADMX Info: N/A - - ADMX Info: @@ -18271,9 +16845,6 @@ ADMX Info: 2. Restart machine. 3. Verify that OneDrive.exe is not running in Task Manager. - - - @@ -18292,8 +16863,6 @@ If you disable or do not configure this policy setting, users can perform System Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. - - ADMX Info: @@ -18335,9 +16904,6 @@ ADMX Info:

    If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. - - - @@ -18380,9 +16946,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -18425,9 +16988,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -18470,9 +17030,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -18515,9 +17072,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -18560,9 +17114,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -18605,9 +17156,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -18650,9 +17198,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -18700,9 +17245,6 @@ ADMX Info: 2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app. 3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool. - - - @@ -18711,9 +17253,6 @@ ADMX Info:

    This policy has been deprecated. - - - @@ -18756,9 +17295,6 @@ ADMX Info:

    Most restricted value is 0. - - - @@ -18799,9 +17335,6 @@ ADMX Info: - 0 (default) – No characters are filtered. - 1 – All characters except JIS0208 are filtered. - - - @@ -18842,9 +17375,6 @@ ADMX Info: - 0 (default) – No characters are filtered. - 1 – All characters except JIS0208 and EUDC are filtered. - - - @@ -18885,9 +17415,6 @@ ADMX Info: - 0 (default) – No characters are filtered. - 1 – All characters except ShiftJIS are filtered. - - - @@ -18901,9 +17428,6 @@ ADMX Info: - 0 – Locale default setting. - 1 (default) – Set 24 hour clock. - - - @@ -18946,9 +17470,6 @@ ADMX Info:

    The default is 17 (5 PM). - - - @@ -18965,9 +17486,6 @@ ADMX Info:

    The default value is 18 (hours). - - - @@ -19010,9 +17528,6 @@ ADMX Info:

    The default value is 8 (8 AM). - - - @@ -19065,9 +17580,6 @@ ADMX Info:

    If the policy is not configured, end-users get the default behavior (Auto install and restart). - - - @@ -19108,9 +17620,6 @@ ADMX Info: - 0 – Not allowed or not configured. - 1 – Allowed. Accepts updates received through Microsoft Update. - - - @@ -19155,9 +17664,6 @@ ADMX Info:

    This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. - - - @@ -19205,10 +17711,6 @@ ADMX Info: > [!NOTE] > This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. - - - - @@ -19225,9 +17727,6 @@ ADMX Info:

    The default value is 15 (minutes). - - - @@ -19245,9 +17744,6 @@ ADMX Info: - 1 (default) – Auto Dismissal. - 2 – User Dismissal. - - - @@ -19288,9 +17784,6 @@ ADMX Info: - 16 (default) – User gets all applicable upgrades from Current Branch (CB). - 32 – User gets upgrades from Current Branch for Business (CBB). - - - @@ -19331,9 +17824,6 @@ ADMX Info: > [!IMPORTANT] > The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. - - - @@ -19371,9 +17861,6 @@ ADMX Info:

    Supported values are 0-30. - - - @@ -19473,10 +17960,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - - - - @@ -19522,9 +18005,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

    If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - @@ -19556,9 +18036,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

    Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. - - - @@ -19575,9 +18052,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

    The default value is 0 days (not specified). - - - @@ -19594,9 +18068,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

    The default value is 3 days. - - - @@ -19613,9 +18084,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

    The default value is 7 days. - - - @@ -19656,10 +18124,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Allow Windows Update drivers. - 1 – Exclude Windows Update drivers. - - - - @@ -19699,9 +18163,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Disabled. - 1 – Enabled. - - - @@ -19751,10 +18212,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego 3. Verify that any downloads that are above the download size limit will complete without being paused. - - - - @@ -19802,10 +18259,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego 3. Verify that any downloads that are above the download size limit will complete without being paused. - - - - @@ -19852,9 +18305,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

    If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - @@ -19896,9 +18346,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Feature Updates are not paused. - 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. - - - @@ -19932,9 +18379,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

    Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - @@ -19974,9 +18418,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Quality Updates are not paused. - 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - - - @@ -20010,9 +18451,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

    Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - @@ -20055,9 +18493,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – User gets upgrades from Current Branch. - 1 – User gets upgrades from Current Branch for Business. - - - @@ -20105,9 +18540,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 – Not configured. The device installs all applicable updates. - 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. - - - @@ -20124,9 +18556,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

    The default value is 15 (minutes). - - - @@ -20143,9 +18572,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

    The default value is 4 (hours). - - - @@ -20196,9 +18622,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 6 – Friday - 7 – Saturday - - - @@ -20242,9 +18665,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

    The default value is 3. - - - @@ -20262,9 +18682,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Enabled - 1 – Disabled - - - @@ -20301,9 +18718,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 - not configured - 1 - configured - - - @@ -20366,9 +18780,6 @@ Example ``` - - - @@ -20413,9 +18824,6 @@ Example > If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. > This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. - - - @@ -20424,9 +18832,6 @@ Example

    This policy has been deprecated. - - - @@ -20465,9 +18870,6 @@ Example

    Most restricted value is 0. - - - @@ -20506,9 +18908,6 @@ Example

    Most restricted value is 0. - - - @@ -20550,10 +18949,6 @@ Example > [!NOTE] > Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted. - - - - @@ -20592,9 +18987,6 @@ Example

    Most restricted value is 0. - - - @@ -20629,9 +19021,6 @@ Example - 0 - WiFi Direct connection is not allowed. - 1 - WiFi Direct connection is allowed. - - - @@ -20669,9 +19058,6 @@ Example

    Supported operations are Add, Delete, Get, and Replace. - - - @@ -20708,9 +19094,6 @@ Example - 0 - app suggestions are not allowed. - 1 (default) -allow app suggestions. - - - @@ -20748,9 +19131,6 @@ Example - 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. - 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. - - - @@ -20763,8 +19143,6 @@ If you enable this policy setting, no app notifications are displayed on the loc If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. - - ADMX Info: @@ -20785,8 +19163,6 @@ If you enable this policy setting, the PC's network connectivity state cannot be If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. - - ADMX Info: @@ -20836,9 +19212,6 @@ ADMX Info: 1. Enable policy. 2. Verify that the Switch account button in Start is hidden. - - - @@ -20873,9 +19246,6 @@ ADMX Info: - 0 - your PC cannot discover or project to other devices. - 1 - your PC can discover and project to other devices - - - @@ -20910,9 +19280,6 @@ ADMX Info: - 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct. - 1 - your PC can discover and project to other devices over infrastructure. - - - @@ -20951,9 +19318,6 @@ ADMX Info: - 0 - projection to PC is not allowed. Always off and the user cannot enable it. - 1 (default) - projection to PC is allowed. Enabled only above the lock screen. - - - @@ -20988,9 +19352,6 @@ ADMX Info: - 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct. - 1 - your PC is discoverable and other devices can project to it over infrastructure. - - - @@ -20999,9 +19360,6 @@ ADMX Info:

    Added in Windows 10, version 1703. - - - @@ -21040,9 +19398,6 @@ ADMX Info: - 0 (default) - PIN is not required. - 1 - PIN is required. - - -

    diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md index 33a512ae37..4c7a24ae08 100644 --- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md +++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md @@ -15,7 +15,7 @@ author: jdeckerms Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. -When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. +When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. You can deploy the lockdown XML file by [adding it to a provisioning package](lockdown-xml.md#add-lockdown-xml-to-a-provisioning-package) or [by using mobile device management (MDM)](lockdown-xml.md#push-lockdown-xml-using-mdm). The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md). diff --git a/windows/deployment/update/images/update-compliance-wdav-assessment.png b/windows/deployment/update/images/update-compliance-wdav-assessment.png new file mode 100644 index 0000000000..266c5b7210 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-assessment.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-overview.png b/windows/deployment/update/images/update-compliance-wdav-overview.png new file mode 100644 index 0000000000..977478fb74 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-overview.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-prot-status.png b/windows/deployment/update/images/update-compliance-wdav-prot-status.png new file mode 100644 index 0000000000..2c6c355ca4 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-prot-status.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png b/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png new file mode 100644 index 0000000000..733bfb6ae7 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png new file mode 100644 index 0000000000..d914960a7a Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png b/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png new file mode 100644 index 0000000000..7d8021b02e Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-filter.png new file mode 100644 index 0000000000..cd500c2cb3 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-filter.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-log.png b/windows/deployment/update/images/update-compliance-wdav-status-log.png new file mode 100644 index 0000000000..30e2e2352f Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-log.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-query.png b/windows/deployment/update/images/update-compliance-wdav-status-query.png new file mode 100644 index 0000000000..c7d1a436fe Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-query.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-threat-status.png b/windows/deployment/update/images/update-compliance-wdav-threat-status.png new file mode 100644 index 0000000000..ada9c09bbf Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-threat-status.png differ diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index f6c1878943..2b42051399 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -10,7 +10,7 @@ author: greg-lindsay # Get started with Update Compliance -This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. +This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. Steps are provided in sections that follow the recommended setup process: 1. Ensure that [prerequisites](#update-compliance-prerequisites) are met. @@ -19,22 +19,25 @@ Steps are provided in sections that follow the recommended setup process: ## Update Compliance Prerequisites -Update Compliance has the following requirements: -1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). -2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization). +Update Compliance has the following requirements: +1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). +2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization). 3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint: - -
    ServiceEndpoint -
    Connected User Experience and Telemetry componentv10.vortex-win.data.microsoft.com -
    settings-win.data.microsoft.com -
    Windows Error Reporting watson.telemetry.microsoft.com -
    Online Crash Analysis oca.telemetry.microsoft.com -
    + +
    ServiceEndpoint +
    Connected User Experience and Telemetry componentv10.vortex-win.data.microsoft.com +
    settings-win.data.microsoft.com +
    Windows Error Reporting watson.telemetry.microsoft.com +
    Online Crash Analysis oca.telemetry.microsoft.com +
    + +4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV. + ## Add Update Compliance to Microsoft Operations Management Suite -Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace. @@ -52,7 +55,7 @@ If you are not yet using OMS, use the following steps to subscribe to OMS Update -3. Create a new OMS workspace. +3. Create a new OMS workspace.

    @@ -76,7 +79,7 @@ If you are not yet using OMS, use the following steps to subscribe to OMS Update -7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace. +7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace.

    @@ -100,7 +103,7 @@ After you are subscribed to OMS Update Compliance and your devices have a Commer ## Deploy your Commercial ID to your Windows 10 devices -In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM). +In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM). - Using Group Policy

    Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor. @@ -114,4 +117,4 @@ In order for your devices to show up in Windows Analytics: Update Compliance, th ## Related topics -[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) \ No newline at end of file +[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 39d8b0e012..08daf13df1 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -31,7 +31,8 @@ Update Compliance has the following primary blades: 3. [Latest and Previous Security Update Status](#latest-and-previous-security-update-status) 4. [Overall Feature Update Status](#overall-feature-update-status) 5. [CB, CBB, LTSB Deployment Status](#cb-cbb-ltsb-deployment-status) -6. [List of Queries](#list-of-queries) +6. [Windows Defender Antivirus Assessment](#wdav-assessment) +7. [List of Queries](#list-of-queries) ## OS Update Overview @@ -41,6 +42,7 @@ The first blade of OMS Update Compliance is the General **OS Update Overview** b ![OS Update Overview](images/uc-11.png) + This blade is divided into three sections: - Device Summary: - Needs Attention Summary @@ -139,6 +141,133 @@ The Overall Feature Update Status blade focuses around whether or not your devic Devices are evaluated by OS Version (e.g., 1607) and the count of how many are Current, Not Current, and have Update Failures is displayed. Clicking on any of these counts will allow you to view all those devices, as well as select the **Update Deployment Status** perspective, described below.  + +## Windows Defender Antivirus Assessment + +You'll notice some new tiles in the Overview blade which provide a summary of Windows Defender AV-related issues, highlighted in the following screenshot. + +![verview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-overview.png) + +The **AV Signature** chart shows the number of devices that either have up-to-date [protection updates (also known as signatures or definitions)](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus), while the **Windows Defender AV Status** tile indicates the percentage of all assessed devices that are not updated and do not have real-time protection enabled. The Windows Defender Antivirus Assessment section provides more information that lets you investigate potential issues. + +If you're using [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to protect devices in your organization and have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus), you can use this section to review the overall status of key protection features, including the number of devices that have [always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and up-to-date definitions. + +There are two blades in the Windows Defender AV Assessment section: + +- Protection status +- Threats status + +![Windows Defender Antivirus Assessment blade in Update Compliance](images/update-compliance-wdav-assessment.png) + +The **Protection Status** blade shows three key measurements: + +1. How many devices have old or current signatures (also known as protection updates or definitions) +2. How many devices have the core Windows Defender AV always-on scanning feature enabled, called real-time protection + + +![Windows Defender Antivirus protection status in Update Compliance](images/update-compliance-wdav-prot-status.png) + +See the [Manage Windows Defender AV updates and apply baselines](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) topic for an overview on how updates work, and further information on applying updates. + +The **Threats Status** blade shows the following measurements: + +1. How many devices that have threats that have been remediated (removed or quarantined on the device) +2. How many devices that have threats where remediation was not successful (this may indicate a manual reboot or clean is required) + + +![Windows Defender Antivirus threat status in Update Compliance](images/update-compliance-wdav-threat-status.png) + +Devices can be in multiple states at once, as one device may have multiple threats, some of which may or may not be remediated. + +> [!IMPORTANT] +> The data reported in Update Compliance can be delayed by up to 24 hours. + +See the [Customize, initiate, and review the results of Windows Defender AV scans and remediation](/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) topic for more information on how to perform scans and other manual remediation tasks. + +As with other blades in Update Compliance, clicking on a specific measurement or item will open the associated query that you can use to investigate individual devices and issues, as described below. + + +### Investigate individual devices and threats + + +Click on any of the status measurements to be taken to a pre-built log query that shows the impacted devices for that status. + +![Sample Windows Defender AV query in Update Compliance](images/update-compliance-wdav-status-log.png) + +You can also find a pre-built query on the main Update Compliance screen, under the **Queries** blade, that lists devices that have not been assessed for Windows Defender AV. + +![Overview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-query-not-assessed.png) + + + + + + + + +You can further filter queries by clicking any of the measurement labels for each incident, changing the values in the query filter pane, and then clicking **Apply**. + +![Click the Apply button on the left pane](images/update-compliance-wdav-status-filter-apply.png) + + + +Click **+Add** at the bottom of the filter pane to open a list of filters you can apply. + +![Click Add to add more filters](images/update-compliance-wdav-status-add-filter.png) + + +You can also click the **. . .** button next to each label to instantly filter by that label or value. + +![Click the elipsis icon to instantly filter by the selected label](images/update-compliance-wdav-status-filter.png) + +You can create your own queries by using a query string in the following format: + +``` +Type: