diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md
index 6f07ebd2bc..e1cc857151 100644
--- a/windows/client-management/mdm/policy-csp-admx-appcompat.md
+++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_AppCompat Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/20/2022
+ms.date: 01/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -54,7 +54,7 @@ If the status is set to Disabled, the MS-DOS subsystem runs for all users on thi
If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault. If that value is non-0, this prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on windows 7 and downlevel, the OS will allow 16-bit applications to run.
-Note: This setting appears in only Computer Configuration.
+**Note**: This setting appears in only Computer Configuration.
@@ -242,7 +242,7 @@ The Windows Resource Protection and User Account Control features of Windows use
This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential.
-NOTE: Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes.
+**Note**: Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes.
@@ -281,6 +281,62 @@ NOTE: Many system processes cache the value of this setting for performance reas
+
+## AppCompatTurnOffProgramCompatibilityAssistant_1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1
+```
+
+
+
+
+This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AppCompatTurnOffProgramCompatibilityAssistant_1 |
+| Friendly Name | Turn off Program Compatibility Assistant |
+| Location | User Configuration |
+| Path | Windows Components > Application Compatibility |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
+| Registry Value Name | DisablePCA |
+| ADMX File Name | AppCompat.admx |
+
+
+
+
+
+
+
+
## AppCompatTurnOffProgramCompatibilityAssistant_2
@@ -306,7 +362,7 @@ If you enable this policy setting, the PCA will be turned off. The user will not
If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
-Note: The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console.
+**Note**: The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console.
@@ -330,7 +386,7 @@ Note: The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Se
| Name | Value |
|:--|:--|
-| Name | AppCompatTurnOffProgramCompatibilityAssistant |
+| Name | AppCompatTurnOffProgramCompatibilityAssistant_2 |
| Friendly Name | Turn off Program Compatibility Assistant |
| Location | Computer Configuration |
| Path | Windows Components > Application Compatibility |
@@ -370,7 +426,7 @@ If you enable this policy setting, the Inventory Collector will be turned off an
If you disable or do not configure this policy setting, the Inventory Collector will be turned on.
-Note: This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off.
+**Note**: This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off.
@@ -537,62 +593,6 @@ If you disable or do not configure this policy setting, Steps Recorder will be e
-
-## AppCompatTurnOffProgramCompatibilityAssistant_1
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1
-```
-
-
-
-
-This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | AppCompatTurnOffProgramCompatibilityAssistant |
-| Friendly Name | Turn off Program Compatibility Assistant |
-| Location | User Configuration |
-| Path | Windows Components > Application Compatibility |
-| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
-| Registry Value Name | DisablePCA |
-| ADMX File Name | AppCompat.admx |
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
index ac9e54106c..47389ccf0a 100644
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_TerminalServer Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 01/03/2023
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - ADMX_TerminalServer
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -68,7 +66,7 @@ If the status is set to Not Configured, automatic reconnection is not specified
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -130,7 +128,7 @@ If you disable or do not configure this policy setting, users can redirect their
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -178,7 +176,8 @@ If no certificate can be found that was created with the specified certificate t
If you disable or do not configure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server.
-Note: If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting.
+> [!NOTE]
+> If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting.
@@ -196,7 +195,7 @@ Note: If you select a specific certificate to be used to authenticate the RD Ses
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -216,6 +215,69 @@ Note: If you select a specific certificate to be used to authenticate the RD Ses
+
+## TS_CLIENT_ALLOW_SIGNED_FILES_1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1
+```
+
+
+
+
+This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file).
+
+If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect.
+
+If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
+
+> [!NOTE]
+> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_CLIENT_ALLOW_SIGNED_FILES_1 |
+| Friendly Name | Allow .rdp files from valid publishers and user's default .rdp settings |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | AllowSignedFiles |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_CLIENT_ALLOW_SIGNED_FILES_2
@@ -239,7 +301,8 @@ If you enable or do not configure this policy setting, users can run .rdp files
If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
-Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected.
+> [!NOTE]
+> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected.
@@ -257,13 +320,13 @@ Note: You can define this policy setting in the Computer Configuration node or i
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | TS_CLIENT_ALLOW_SIGNED_FILES |
+| Name | TS_CLIENT_ALLOW_SIGNED_FILES_2 |
| Friendly Name | Allow .rdp files from valid publishers and user's default .rdp settings |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
@@ -278,6 +341,66 @@ Note: You can define this policy setting in the Computer Configuration node or i
+
+## TS_CLIENT_ALLOW_UNSIGNED_FILES_1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1
+```
+
+
+
+
+This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer.
+
+If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect.
+
+If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_CLIENT_ALLOW_UNSIGNED_FILES_1 |
+| Friendly Name | Allow .rdp files from unknown publishers |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | AllowUnsignedFiles |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_CLIENT_ALLOW_UNSIGNED_FILES_2
@@ -317,13 +440,13 @@ If you disable this policy setting, users cannot run unsigned .rdp files and .rd
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | TS_CLIENT_ALLOW_UNSIGNED_FILES |
+| Name | TS_CLIENT_ALLOW_UNSIGNED_FILES_2 |
| Friendly Name | Allow .rdp files from unknown publishers |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
@@ -382,7 +505,7 @@ If you do not configure this policy setting audio and video playback redirection
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -447,7 +570,7 @@ If you do not configure this policy setting, Audio recording redirection is not
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -511,7 +634,7 @@ If you disable or do not configure this policy setting, audio playback quality w
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -574,7 +697,7 @@ If you do not configure this policy setting, Clipboard redirection is not specif
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -638,7 +761,7 @@ If you do not configure this policy setting, COM port redirection is not specifi
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -702,7 +825,7 @@ If you do not configure this policy setting, the default printer is not specifie
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -758,7 +881,7 @@ This policy setting specifies whether the Remote Desktop Connection can use hard
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -779,6 +902,66 @@ This policy setting specifies whether the Remote Desktop Connection can use hard
+
+## TS_CLIENT_DISABLE_PASSWORD_SAVING_1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1
+```
+
+
+
+
+Controls whether a user can save passwords using Remote Desktop Connection.
+
+If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
+
+If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_CLIENT_DISABLE_PASSWORD_SAVING_1 |
+| Friendly Name | Do not allow passwords to be saved |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | DisablePasswordSaving |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_CLIENT_LPT
@@ -822,7 +1005,7 @@ If you do not configure this policy setting, LPT port redirection is not specifi
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -866,9 +1049,10 @@ By default, Remote Desktop Services does not allow redirection of supported Plug
If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer.
-If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer.If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions.
+If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer. If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions.
-Note: You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings.
+> [!NOTE]
+> You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings.
@@ -886,7 +1070,7 @@ Note: You can disable redirection of specific types of supported Plug and Play d
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -950,7 +1134,7 @@ If you do not configure this policy setting, client printer mapping is not speci
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -994,7 +1178,7 @@ If you enable this policy setting, any certificate with an SHA1 thumbprint that
If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.
-Notes:
+**Note**:
You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user.
@@ -1018,13 +1202,13 @@ If the list contains a string that is not a certificate thumbprint, it is ignore
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS |
+| Name | TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 |
| Friendly Name | Specify SHA1 thumbprints of certificates representing trusted .rdp publishers |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
@@ -1038,6 +1222,73 @@ If the list contains a string that is not a certificate thumbprint, it is ignore
+
+## TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2
+```
+
+
+
+
+This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers.
+
+If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.
+
+If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.
+
+**Note**:
+
+You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user.
+
+This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting.
+
+If the list contains a string that is not a certificate thumbprint, it is ignored.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 |
+| Friendly Name | Specify SHA1 thumbprints of certificates representing trusted .rdp publishers |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_CLIENT_TURN_OFF_UDP
@@ -1077,7 +1328,7 @@ If you disable or do not configure this policy setting, Remote Desktop Protocol
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1123,9 +1374,11 @@ If you enable this policy setting, the color depth that you specify is the maxim
If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level.
-Note:
+**Note**:
+
1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional.
2. The value specified in this policy setting is not applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections.
+
3. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format:
a. Value specified by this policy setting
b. Maximum color depth supported by the client
@@ -1149,7 +1402,7 @@ If the client does not support at least 16 bits, the connection is terminated.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1188,13 +1441,15 @@ If the client does not support at least 16 bits, the connection is terminated.
This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. This policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed.
-Note: If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles.
+> [!NOTE]
+> If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles.
If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified.
If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive.
-Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled.
+> [!NOTE]
+> This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled.
@@ -1212,7 +1467,7 @@ Note: This policy setting is ignored if the "Prevent Roaming Profile changes fro
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1276,7 +1531,7 @@ If the status is set to Not Configured, the default behavior applies.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1340,7 +1595,7 @@ NOTE: The policy setting enables load-balancing of graphics processing units (GP
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1384,7 +1639,8 @@ If you enable or do not configure this policy setting, the RD Session Host serve
If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.
-Note: If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored.
+> [!NOTE]
+> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored.
@@ -1402,7 +1658,7 @@ Note: If the "Do not allow client printer redirection" policy setting is enabled
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1423,6 +1679,69 @@ Note: If the "Do not allow client printer redirection" policy setting is enabled
+
+## TS_EASY_PRINT_User
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_EASY_PRINT_User
+```
+
+
+
+
+This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers.
+
+If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session.
+
+If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.
+
+> [!NOTE]
+> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_EASY_PRINT_User |
+| Friendly Name | Use Remote Desktop Easy Print printer driver first |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | UseUniversalPrinterDriverFirst |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_EnableVirtualGraphics
@@ -1468,7 +1787,7 @@ If you do not configure this policy setting, the default behavior will be used.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1524,7 +1843,8 @@ If you disable this policy setting, the RD Session Host server fallback driver i
If you do not configure this policy setting, the fallback printer driver behavior is off by default.
-Note: If the "Do not allow client printer redirection" setting is enabled, this policy setting is ignored and the fallback printer driver is disabled.
+> [!NOTE]
+> If the "Do not allow client printer redirection" setting is enabled, this policy setting is ignored and the fallback printer driver is disabled.
@@ -1542,7 +1862,7 @@ Note: If the "Do not allow client printer redirection" setting is enabled, this
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1588,7 +1908,8 @@ If you enable this policy setting, logging off the connected administrator is no
If you disable or do not configure this policy setting, logging off the connected administrator is allowed.
-Note: The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line.
+> [!NOTE]
+> The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line.
@@ -1606,7 +1927,7 @@ Note: The console session is also known as Session 0. Console access can be obta
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1627,6 +1948,193 @@ Note: The console session is also known as Session 0. Console access can be obta
+
+## TS_GATEWAY_POLICY_AUTH_METHOD
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD
+```
+
+
+
+
+Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
+
+To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default.
+
+If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_GATEWAY_POLICY_AUTH_METHOD |
+| Friendly Name | Set RD Gateway authentication method |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > RD Gateway |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
+
+## TS_GATEWAY_POLICY_ENABLE
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE
+```
+
+
+
+
+If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting.
+
+You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
+
+> [!NOTE]
+> To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used.
+
+To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default.
+
+If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_GATEWAY_POLICY_ENABLE |
+| Friendly Name | Enable connection through RD Gateway |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > RD Gateway |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | UseProxy |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
+
+## TS_GATEWAY_POLICY_SERVER
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER
+```
+
+
+
+
+Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
+
+> [!NOTE]
+> It is highly recommended that you also specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used.
+
+To allow users to overwrite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server, you must select the "Allow users to change this setting" check box and users will be allowed to specify an alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default.
+
+> [!NOTE]
+> If you disable or do not configure this policy setting, but enable the "Enable connections through RD Gateway" policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_GATEWAY_POLICY_SERVER |
+| Friendly Name | Set RD Gateway server address |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > RD Gateway |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_JOIN_SESSION_DIRECTORY
@@ -1652,7 +2160,7 @@ If you disable this policy setting, the server does not join a farm in RD Connec
If the policy setting is not configured, the policy setting is not specified at the Group Policy level.
-Notes:
+**Note**:
1. If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
@@ -1674,7 +2182,7 @@ Notes:
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1736,7 +2244,7 @@ If you disable or do not configure this policy setting, a keep-alive interval is
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1784,7 +2292,8 @@ By default, the RDS Endpoint Servers group is empty.
If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting.
-Note: You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain.
+> [!NOTE]
+> You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain.
@@ -1802,7 +2311,7 @@ Note: You should only enable this policy setting when the license server is a me
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1866,7 +2375,7 @@ If you disable or do not configure this policy setting, the RD Session Host serv
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1927,7 +2436,7 @@ If you disable or do not configure this policy setting, these notifications will
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1992,7 +2501,7 @@ If you disable or do not configure this policy setting, the licensing mode is no
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2039,7 +2548,8 @@ If the status is set to Enabled, the maximum number of connections is limited to
If the status is set to Disabled or Not Configured, limits to the number of connections are not enforced at the Group Policy level.
-Note: This setting is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop Session Host role service installed).
+> [!NOTE]
+> This setting is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop Session Host role service installed).
@@ -2057,7 +2567,7 @@ Note: This setting is designed to be used on RD Session Host servers (that is, o
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2116,7 +2626,7 @@ If you disable or do not configure this policy setting, the maximum resolution t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2175,7 +2685,7 @@ If you disable or do not configure this policy setting, the number of monitors t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2220,7 +2730,8 @@ If you enable this policy setting, "Disconnect" does not appear as an option in
If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box.
-Note: This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting.
+> [!NOTE]
+> This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting.
@@ -2238,7 +2749,7 @@ Note: This policy setting affects only the Shut Down Windows dialog box. It does
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2298,7 +2809,7 @@ If the status is set to Disabled or Not Configured, Windows Security remains in
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2365,7 +2876,7 @@ If you disable or do not configure this policy setting, the license server will
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2407,7 +2918,8 @@ This policy setting determines whether a user will be prompted on the client com
If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials.
-Note: If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration.
+> [!NOTE]
+> If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration.
If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection.
@@ -2427,7 +2939,7 @@ If you disable or do not configure this policy setting, the version of the opera
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2448,6 +2960,70 @@ If you disable or do not configure this policy setting, the version of the opera
+
+## TS_RADC_DefaultConnection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RADC_DefaultConnection
+```
+
+
+
+
+This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs.
+
+The default connection URL must be configured in the form of .
+
+If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL.
+
+If you disable or do not configure this policy setting, the user has no default connection URL.
+
+> [!NOTE]
+> RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_RADC_DefaultConnection |
+| Friendly Name | Specify default connection URL |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > RemoteApp and Desktop Connections |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Workspaces |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_RDSAppX_WaitForRegistration
@@ -2489,7 +3065,7 @@ If you disable or do not configure this policy setting, the Start screen is show
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2510,6 +3086,71 @@ If you disable or do not configure this policy setting, the Start screen is show
+
+## TS_RemoteControl_1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RemoteControl_1
+```
+
+
+
+
+If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list:
+
+1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
+2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
+
+3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
+4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
+
+5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
+
+If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_RemoteControl_1 |
+| Friendly Name | Set rules for remote control of Remote Desktop Services user sessions |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_RemoteControl_2
@@ -2531,8 +3172,10 @@ If you enable this policy setting, administrators can interact with a user's Rem
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
+
3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
+
5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
@@ -2553,13 +3196,13 @@ If you disable this policy setting, administrators can interact with a user's Re
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | TS_RemoteControl |
+| Name | TS_RemoteControl_2 |
| Friendly Name | Set rules for remote control of Remote Desktop Services user sessions |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections |
@@ -2614,7 +3257,7 @@ By default, Remote Desktop Connection sessions that use RemoteFX are optimized f
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2659,7 +3302,7 @@ If you enable this policy setting, you must specify the name of a farm in RD Con
If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level.
-Notes:
+**Note**:
1. This policy setting is not effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy.
@@ -2681,7 +3324,7 @@ Notes:
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2726,7 +3369,7 @@ If you disable this policy setting, the IP address of the RD Session Host server
If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default.
-Notes:
+**Note**:
1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
@@ -2746,7 +3389,7 @@ Notes:
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2790,7 +3433,7 @@ If you enable this policy setting, you must specify the RD Connection Broker ser
If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level.
-Notes:
+**Note**:
1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
@@ -2814,7 +3457,7 @@ Notes:
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2879,7 +3522,7 @@ If you disable or do not configure this policy setting, the security method to b
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2944,7 +3587,7 @@ If you disable or do not configure this policy setting, Remote Desktop Protocol
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3009,7 +3652,7 @@ If you disable or do not configure this policy setting, RDP will choose the opti
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3068,7 +3711,7 @@ If you disable this policy setting, RemoteApp programs published from this RD Se
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3134,7 +3777,7 @@ If you disable or do not configure this policy setting, the authentication setti
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3189,7 +3832,7 @@ This policy setting lets you enable H.264/AVC hardware encoding support for Remo
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3245,7 +3888,7 @@ This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3309,7 +3952,7 @@ If you disable or do not configure this policy setting, the default RDP compress
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3369,7 +4012,7 @@ If you disable or do not configure this policy setting, RemoteFX Adaptive Graphi
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3406,7 +4049,7 @@ If you disable or do not configure this policy setting, RemoteFX Adaptive Graphi
-This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec.If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec.If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions.
+This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec. If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec. If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions.
@@ -3424,7 +4067,7 @@ This policy setting allows you to configure graphics encoding to use the RemoteF
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3465,8 +4108,10 @@ This policy setting allows you to configure graphics encoding to use the RemoteF
This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth.
If you enable this policy setting, the RemoteFX experience could be set to one of the following options:
+
1. Let the system choose the experience for the network condition
2. Optimize for server scalability
+
3. Optimize for minimum bandwidth usage
If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition."
@@ -3487,7 +4132,7 @@ If you disable or do not configure this policy setting, the RemoteFX experience
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3548,7 +4193,7 @@ If you disable or do not configure this policy setting, Remote Desktop Services
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3609,7 +4254,7 @@ For this change to take effect, you must restart Windows.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3630,6 +4275,75 @@ For this change to take effect, you must restart Windows.
+
+## TS_Session_End_On_Limit_1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_Session_End_On_Limit_1
+```
+
+
+
+
+This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it.
+
+You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits.
+
+Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings.
+
+If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit.
+
+If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator.
+
+If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings.
+
+> [!NOTE]
+> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_Session_End_On_Limit_1 |
+| Friendly Name | End session when time limits are reached |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | fResetBroken |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_Session_End_On_Limit_2
@@ -3659,7 +4373,8 @@ If you disable this policy setting, Remote Desktop Services always disconnects a
If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings.
-Note: This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence.
+> [!NOTE]
+> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence.
@@ -3677,13 +4392,13 @@ Note: This policy setting only applies to time-out limits that are explicitly se
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | TS_Session_End_On_Limit |
+| Name | TS_Session_End_On_Limit_2 |
| Friendly Name | End session when time limits are reached |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits |
@@ -3698,6 +4413,72 @@ Note: This policy setting only applies to time-out limits that are explicitly se
+
+## TS_SESSIONS_Disconnected_Timeout_1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1
+```
+
+
+
+
+This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions.
+
+You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session.
+
+When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server.
+
+If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply.
+
+If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time.
+
+> [!NOTE]
+> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_SESSIONS_Disconnected_Timeout_1 |
+| Friendly Name | Set time limit for disconnected sessions |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_SESSIONS_Disconnected_Timeout_2
@@ -3723,10 +4504,10 @@ When a session is in a disconnected state, running programs are kept active even
If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply.
-
If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time.
-Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
+> [!NOTE]
+> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
@@ -3744,13 +4525,13 @@ Note: This policy setting appears in both Computer Configuration and User Config
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | TS_SESSIONS_Disconnected_Timeout |
+| Name | TS_SESSIONS_Disconnected_Timeout_2 |
| Friendly Name | Set time limit for disconnected sessions |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits |
@@ -3764,6 +4545,70 @@ Note: This policy setting appears in both Computer Configuration and User Config
+
+## TS_SESSIONS_Idle_Limit_1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1
+```
+
+
+
+
+This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected.
+
+If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply.
+
+If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time.
+
+If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
+
+> [!NOTE]
+> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_SESSIONS_Idle_Limit_1 |
+| Friendly Name | Set time limit for active but idle Remote Desktop Services sessions |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_SESSIONS_Idle_Limit_2
@@ -3789,7 +4634,8 @@ If you disable or do not configure this policy setting, the time limit is not sp
If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
-Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
+> [!NOTE]
+> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
@@ -3807,13 +4653,13 @@ Note: This policy setting appears in both Computer Configuration and User Config
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | TS_SESSIONS_Idle_Limit |
+| Name | TS_SESSIONS_Idle_Limit_2 |
| Friendly Name | Set time limit for active but idle Remote Desktop Services sessions |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits |
@@ -3827,6 +4673,70 @@ Note: This policy setting appears in both Computer Configuration and User Config
+
+## TS_SESSIONS_Limits_1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Limits_1
+```
+
+
+
+
+This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected.
+
+If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply.
+
+If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time.
+
+If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
+
+> [!NOTE]
+> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_SESSIONS_Limits_1 |
+| Friendly Name | Set time limit for active Remote Desktop Services sessions |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_SESSIONS_Limits_2
@@ -3852,7 +4762,8 @@ If you disable or do not configure this policy setting, this policy setting is n
If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
-Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
+> [!NOTE]
+> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
@@ -3870,13 +4781,13 @@ Note: This policy setting appears in both Computer Configuration and User Config
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | TS_SESSIONS_Limits |
+| Name | TS_SESSIONS_Limits_2 |
| Friendly Name | Set time limit for active Remote Desktop Services sessions |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits |
@@ -3931,7 +4842,7 @@ If you do not configure this policy setting, this policy setting is not specifie
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3975,7 +4886,8 @@ If you enable this policy setting, Remote Desktop Services users cannot use a sm
If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection.
-Note: The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain.
+> [!NOTE]
+> The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain.
@@ -3993,7 +4905,7 @@ Note: The client computer must be running at least Microsoft Windows 2000 Server
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4014,6 +4926,75 @@ Note: The client computer must be running at least Microsoft Windows 2000 Server
+
+## TS_START_PROGRAM_1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_START_PROGRAM_1
+```
+
+
+
+
+Configures Remote Desktop Services to run a specified program automatically upon connection.
+
+You can use this setting to specify a program to run automatically when a user logs on to a remote computer.
+
+By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off.
+
+To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message.
+
+If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program.
+
+If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.)
+
+> [!NOTE]
+> This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_START_PROGRAM_1 |
+| Friendly Name | Start a program on connection |
+| Location | User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | fInheritInitialProgram |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_START_PROGRAM_2
@@ -4043,7 +5024,8 @@ If the status is set to Enabled, Remote Desktop Services sessions automatically
If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.)
-Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides.
+> [!NOTE]
+> This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides.
@@ -4061,13 +5043,13 @@ Note: This setting appears in both Computer Configuration and User Configuration
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | TS_START_PROGRAM |
+| Name | TS_START_PROGRAM_2 |
| Friendly Name | Start a program on connection |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment |
@@ -4108,7 +5090,8 @@ If you disable this policy setting, temporary folders are deleted when a user lo
If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator.
-Note: This setting only takes effect if per-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no effect.
+> [!NOTE]
+> This setting only takes effect if per-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no effect.
@@ -4126,7 +5109,7 @@ Note: This setting only takes effect if per-session temporary folders are in use
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4190,7 +5173,7 @@ If you do not configure this policy setting, per-session temporary folders are c
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4234,7 +5217,8 @@ If you enable this policy setting, clients that are capable of time zone redirec
If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone.
-Note: Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 and later.
+> [!NOTE]
+> Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 and later.
@@ -4252,7 +5236,7 @@ Note: Time zone redirection is possible only when connecting to at least a Micro
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4298,7 +5282,8 @@ If you enable this policy setting the default security descriptors for existing
If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider.
-Note: The preferred method of managing user access is by adding a user to the Remote Desktop Users group.
+> [!NOTE]
+> The preferred method of managing user access is by adding a user to the Remote Desktop Users group.
@@ -4316,7 +5301,7 @@ Note: The preferred method of managing user access is by adding a user to the Re
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4360,7 +5345,8 @@ If you enable this policy setting, the desktop is always displayed when a client
If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer.
-Note: If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored.
+> [!NOTE]
+> If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored.
@@ -4378,7 +5364,7 @@ Note: If this policy setting is enabled, then the "Start a program on connection
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4442,7 +5428,7 @@ If you disable this policy setting, UI Automation clients running on your local
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4504,7 +5490,7 @@ For this change to take effect, you must restart Windows.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4551,7 +5537,8 @@ If you disable this policy setting, Network Level Authentication is not required
If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default.
-Important: Disabling this policy setting provides less security because user authentication will occur later in the remote connection process.
+> [!IMPORTANT]
+> Disabling this policy setting provides less security because user authentication will occur later in the remote connection process.
@@ -4569,7 +5556,7 @@ Important: Disabling this policy setting provides less security because user aut
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4613,7 +5600,8 @@ To use this setting, select the location for the home directory (network or loca
If you choose to keep the home directory on the local computer, type the Home Dir Root Path in the form "Drive:\Path" (without quotes), without environment variables or ellipses. Do not specify a placeholder for user alias, because Remote Desktop Services automatically appends this at logon.
-Note: The Drive Letter field is ignored if you choose to specify a local path. If you choose to specify a local path but then type the name of a network share in Home Dir Root Path, Remote Desktop Services places user home directories in the network location.
+> [!NOTE]
+> The Drive Letter field is ignored if you choose to specify a local path. If you choose to specify a local path but then type the name of a network share in Home Dir Root Path, Remote Desktop Services places user home directories in the network location.
If the status is set to Enabled, Remote Desktop Services creates the user's home directory in the specified location on the local computer or the network. The home directory path for each user is the specified Home Dir Root Path and the user's alias.
@@ -4635,7 +5623,7 @@ If the status is set to Disabled or Not Configured, the user's home directory is
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4678,7 +5666,7 @@ If you enable this policy setting, Remote Desktop Services uses the path specifi
If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server.
-Note:
+**Note**:
For this policy setting to take effect, you must also enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting.
@@ -4698,7 +5686,7 @@ For this policy setting to take effect, you must also enable and configure the "
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4746,7 +5734,8 @@ To configure this policy setting, type the path to the network share in the form
If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box.
-Notes:
+**Note**:
+
1. The roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Remote Desktop Services session.
2. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile.
@@ -4766,7 +5755,7 @@ Notes:
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4786,955 +5775,6 @@ Notes:
-
-## TS_CLIENT_ALLOW_SIGNED_FILES_1
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1
-```
-
-
-
-
-This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file).
-
-If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect.
-
-If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
-
-Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_CLIENT_ALLOW_SIGNED_FILES |
-| Friendly Name | Allow .rdp files from valid publishers and user's default .rdp settings |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| Registry Value Name | AllowSignedFiles |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_CLIENT_ALLOW_UNSIGNED_FILES_1
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1
-```
-
-
-
-
-This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer.
-
-If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect.
-
-If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_CLIENT_ALLOW_UNSIGNED_FILES |
-| Friendly Name | Allow .rdp files from unknown publishers |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| Registry Value Name | AllowUnsignedFiles |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_CLIENT_DISABLE_PASSWORD_SAVING_1
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1
-```
-
-
-
-
-Controls whether a user can save passwords using Remote Desktop Connection.
-
-If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
-
-If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_CLIENT_DISABLE_PASSWORD_SAVING |
-| Friendly Name | Do not allow passwords to be saved |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| Registry Value Name | DisablePasswordSaving |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2
-```
-
-
-
-
-This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers.
-
-If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.
-
-If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.
-
-Note:
-
-You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user.
-
-This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting.
-
-If the list contains a string that is not a certificate thumbprint, it is ignored.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS |
-| Friendly Name | Specify SHA1 thumbprints of certificates representing trusted .rdp publishers |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_EASY_PRINT_User
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_EASY_PRINT_User
-```
-
-
-
-
-This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers.
-
-If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session.
-
-If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.
-
-Note: If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_EASY_PRINT |
-| Friendly Name | Use Remote Desktop Easy Print printer driver first |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| Registry Value Name | UseUniversalPrinterDriverFirst |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_GATEWAY_POLICY_AUTH_METHOD
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD
-```
-
-
-
-
-Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
-
-To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default.
-
-If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_GATEWAY_POLICY_AUTH_METHOD |
-| Friendly Name | Set RD Gateway authentication method |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > RD Gateway |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_GATEWAY_POLICY_ENABLE
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE
-```
-
-
-
-
-If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting.
-
-You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
-
-Note: To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used.
-
-To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default.
-
-If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_GATEWAY_POLICY_ENABLE |
-| Friendly Name | Enable connection through RD Gateway |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > RD Gateway |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| Registry Value Name | UseProxy |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_GATEWAY_POLICY_SERVER
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER
-```
-
-
-
-
-Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
-
-Note: It is highly recommended that you also specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used.
-
-To allow users to overwrite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server, you must select the "Allow users to change this setting" check box and users will be allowed to specify an alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default.
-
-Note: If you disable or do not configure this policy setting, but enable the "Enable connections through RD Gateway" policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_GATEWAY_POLICY_SERVER |
-| Friendly Name | Set RD Gateway server address |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > RD Gateway |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_RADC_DefaultConnection
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RADC_DefaultConnection
-```
-
-
-
-
-This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs.
-
-The default connection URL must be configured in the form of .
-
-If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL.
-
-If you disable or do not configure this policy setting, the user has no default connection URL.
-
-Note: RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_RADC_DefaultDesktop |
-| Friendly Name | Specify default connection URL |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > RemoteApp and Desktop Connections |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Workspaces |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_RemoteControl_1
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RemoteControl_1
-```
-
-
-
-
-If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list:
-
-1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
-2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
-3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
-4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
-5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
-
-If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_RemoteControl |
-| Friendly Name | Set rules for remote control of Remote Desktop Services user sessions |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_Session_End_On_Limit_1
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_Session_End_On_Limit_1
-```
-
-
-
-
-This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it.
-
-You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits.
-
-Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings.
-
-If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit.
-
-If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator.
-
-If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings.
-
-Note: This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_Session_End_On_Limit |
-| Friendly Name | End session when time limits are reached |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| Registry Value Name | fResetBroken |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_SESSIONS_Disconnected_Timeout_1
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1
-```
-
-
-
-
-This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions.
-
-You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session.
-
-When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server.
-
-If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply.
-
-
-If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time.
-
-Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_SESSIONS_Disconnected_Timeout |
-| Friendly Name | Set time limit for disconnected sessions |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_SESSIONS_Idle_Limit_1
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1
-```
-
-
-
-
-This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected.
-
-If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply.
-
-If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time.
-
-If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
-
-Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_SESSIONS_Idle_Limit |
-| Friendly Name | Set time limit for active but idle Remote Desktop Services sessions |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_SESSIONS_Limits_1
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Limits_1
-```
-
-
-
-
-This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected.
-
-If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply.
-
-If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time.
-
-If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
-
-Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_SESSIONS_Limits |
-| Friendly Name | Set time limit for active Remote Desktop Services sessions |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
-
-## TS_START_PROGRAM_1
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_START_PROGRAM_1
-```
-
-
-
-
-Configures Remote Desktop Services to run a specified program automatically upon connection.
-
-You can use this setting to specify a program to run automatically when a user logs on to a remote computer.
-
-By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off.
-
-To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message.
-
-If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program.
-
-If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.)
-
-Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TS_START_PROGRAM |
-| Friendly Name | Start a program on connection |
-| Location | User Configuration |
-| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-| Registry Value Name | fInheritInitialProgram |
-| ADMX File Name | TerminalServer.admx |
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
index 9b8a21444a..76aa3acf58 100644
--- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_UserProfiles Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 01/03/2023
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - ADMX_UserProfiles
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -44,9 +42,10 @@ ms.topic: reference
-This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days.
+This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days
-**Note**: One day is interpreted as 24 hours after a specific user profile was accessed.
+> [!NOTE]
+> One day is interpreted as 24 hours after a specific user profile was accessed.
If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days.
@@ -68,7 +67,7 @@ If you disable or do not configure this policy setting, User Profile Service wil
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -107,7 +106,8 @@ If you disable or do not configure this policy setting, User Profile Service wil
This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys.
-Note: This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile.
+> [!NOTE]
+> This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile.
If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed.
@@ -129,7 +129,7 @@ If you disable or do not configure this policy setting, Windows will always unlo
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -175,7 +175,8 @@ If you enable this policy setting, Windows will not delete Windows Installer or
If you disable or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted.
-Note: If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine.
+> [!NOTE]
+> If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine.
@@ -193,7 +194,7 @@ Note: If this policy setting is enabled for a machine, local administrator actio
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -214,6 +215,75 @@ Note: If this policy setting is enabled for a machine, local administrator actio
+
+## LimitSize
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LimitSize
+```
+
+
+
+
+This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles.
+
+If you disable this policy setting or do not configure it, the system does not limit the size of user profiles.
+
+If you enable this policy setting, you can:
+
+- Set a maximum permitted user profile size.
+- Determine whether the registry files are included in the calculation of the profile size.
+- Determine whether users are notified when the profile exceeds the permitted maximum size.
+- Specify a customized message notifying users of the oversized profile.
+- Determine how often the customized message is displayed.
+
+> [!NOTE]
+> In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | LimitSize |
+| Friendly Name | Limit profile size |
+| Location | User Configuration |
+| Path | System > User Profiles |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | EnableProfileQuota |
+| ADMX File Name | UserProfiles.admx |
+
+
+
+
+
+
+
+
## ProfileErrorAction
@@ -257,7 +327,7 @@ Also, see the "Delete cached copies of roaming profiles" policy setting.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -303,9 +373,10 @@ This policy setting and related policy settings in this folder together define t
If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow.
-If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.
+If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond. Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections
-**Important**: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection.
+> [!IMPORTANT]
+> If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection.
@@ -323,7 +394,7 @@ If you disable or do not configure this policy setting, Windows considers the ne
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -364,15 +435,16 @@ This policy setting allows you to specify the location and root (file share or l
If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name.
-To use this policy setting, in the Location list, choose the location for the home folder. If you choose “On the network,” enter the path to a file share in the Path box (for example, \\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose “On the local computer,” enter a local path (for example, C:\HomeFolder) in the Path box.
+To use this policy setting, in the Location list, choose the location for the home folder. If you choose "On the network," enter the path to a file share in the Path box (for example, \\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose "On the local computer," enter a local path (for example, C:\HomeFolder) in the Path box.
Do not specify environment variables or ellipses in the path. Also, do not specify a placeholder for the user name because the user name will be appended at logon.
-Note: The Drive letter box is ignored if you choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter.
+> [!NOTE]
+> The Drive letter box is ignored if you choose "On the local computer" from the Location list. If you choose "On the local computer" and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter.
If you disable or do not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account.
-If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the “Set user home folder” policy setting has no effect.
+If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the "Set user home folder" policy setting has no effect.
@@ -390,7 +462,7 @@ If the "Set Remote Desktop Services User Home Directory" policy setting is enabl
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -453,13 +525,13 @@ If you do not configure or disable this policy the user will have full control o
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | UserInfoAccessAction_Name |
+| Name | UserInfoAccessAction |
| Friendly Name | User management of sharing user name, account picture, and domain information with apps (not desktop apps) |
| Location | Computer Configuration |
| Path | System > User Profiles |
@@ -474,74 +546,6 @@ If you do not configure or disable this policy the user will have full control o
-
-## LimitSize
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LimitSize
-```
-
-
-
-
-This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles.
-
-If you disable this policy setting or do not configure it, the system does not limit the size of user profiles.
-
-If you enable this policy setting, you can:
-
--- Set a maximum permitted user profile size.
--- Determine whether the registry files are included in the calculation of the profile size.
--- Determine whether users are notified when the profile exceeds the permitted maximum size.
--- Specify a customized message notifying users of the oversized profile.
--- Determine how often the customized message is displayed.
-
-Note: In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | LimitSize |
-| Friendly Name | Limit profile size |
-| Location | User Configuration |
-| Path | System > User Profiles |
-| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
-| Registry Value Name | EnableProfileQuota |
-| ADMX File Name | UserProfiles.admx |
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 1f070e5704..804f8c66c6 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -4,7 +4,7 @@ description: Learn more about the ApplicationManagement Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/09/2022
+ms.date: 01/04/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -674,6 +674,8 @@ List of semi-colon delimited Package Family Names of Windows apps. Listed Window
This policy allows the IT admin to specify a list of applications that users can run after logging on to the device.
+> [!NOTE]
+> This policy only works on modern apps.
@@ -688,18 +690,15 @@ This policy allows the IT admin to specify a list of applications that users can
-For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task.
-Example of the declaration here:
+For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task.
**Example**:
+
```xml
```
-
-> [!NOTE]
-> This policy only works on modern apps.
@@ -802,9 +801,10 @@ If you enable this policy setting, privileges are extended to all programs. Thes
If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer.
-Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.
+**Note**: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.
-Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders.
+> [!CAUTION]
+> Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders.
**Note** that the User Configuration version of this policy setting is not guaranteed to be secure.
@@ -1091,7 +1091,7 @@ To ensure apps are up-to-date, this policy allows the admins to set a recurring
-https://github.com/vinaypamnani-msft/windows-docs-pr
+**Allowed values**:
@@ -1136,15 +1136,7 @@ https://github.com/vinaypamnani-msft/windows-docs-pr
-> [!NOTE]
-> The check for recurrence is done in a case sensitive manner. For instance the value needs to be “Daily” instead of “daily”. The wrong case will cause SmartRetry to fail to execute.
-
-
-
-
-**Examples**:
-
-Sample SyncML:
+**Example**:
```xml
@@ -1171,6 +1163,9 @@ Sample SyncML:
```
+
+> [!NOTE]
+> The check for recurrence is done in a case sensitive manner. For instance the value needs to be "Daily" instead of "daily". The wrong case will cause SmartRetry to fail to execute.
diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md
index 512ee46ca4..422008fc22 100644
--- a/windows/client-management/mdm/policy-csp-appruntime.md
+++ b/windows/client-management/mdm/policy-csp-appruntime.md
@@ -4,7 +4,7 @@ description: Learn more about the AppRuntime Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/12/2022
+ms.date: 01/04/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - AppRuntime
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, users will need to sign
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index 18b0deb48c..f8268a6402 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -18,6 +18,8 @@ ms.topic: reference
+> [!NOTE]
+> To manage encryption of PCs and devices, use [BitLocker CSP](./bitlocker-csp.md).
@@ -42,6 +44,12 @@ This policy specifies the BitLocker Drive Encryption method and cipher strength.
+The following list shows the supported values:
+
+- 3 - AES-CBC 128-bit
+- 4 - AES-CBC 256-bit
+- 6 - XTS-AES 128-bit
+- 7 - XTS-AES 256-bit
diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md
index d7d50fe51a..d69ea99b66 100644
--- a/windows/client-management/mdm/policy-csp-bits.md
+++ b/windows/client-management/mdm/policy-csp-bits.md
@@ -4,7 +4,7 @@ description: Learn more about the BITS Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/24/2022
+ms.date: 01/04/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -37,7 +37,7 @@ ms.topic: reference
-This policy specifies the bandwidth throttling end time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 17 (5 PM). Supported value range: 0 - 23You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
+This policy specifies the bandwidth throttling end time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 17 (5 PM). Supported value range: 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
**Note**: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
@@ -94,7 +94,7 @@ This policy specifies the bandwidth throttling end time that Background Intellig
-This policy specifies the bandwidth throttling start time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 8 (8 am). Supported value range: 0 - 23You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
+This policy specifies the bandwidth throttling start time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 8 (8 am). Supported value range: 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
**Note**: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
@@ -342,7 +342,7 @@ This policy setting defines the default behavior that the foreground Intelligent
This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk.
-**Note**: Any property changes to the job or any successful download action will reset this timeout. Value type is integer. Default is 90 days. Supported values range: 0 - 999Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout.
+**Note**: Any property changes to the job or any successful download action will reset this timeout. Value type is integer. Default is 90 days. Supported values range: 0 - 999. Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout.
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index d522163ea8..81ae975132 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/24/2022
+ms.date: 01/04/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
+> [!NOTE]
+> These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](/deployedge/configure-edge-with-mdm).
@@ -43,7 +45,7 @@ ms.topic: reference
This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
-Note: Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting.
+**Note**: Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting.
If you enable or don't configure this setting, employees can see the Address bar drop-down functionality in Microsoft Edge.
@@ -165,10 +167,10 @@ If you don't configure this setting, employees can choose whether to use Autofil
**Verify**:
To verify AllowAutofill is set to 0 (not allowed):
-1. Open Microsoft Edge.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the dropdown list, and select **View Advanced Settings**.
-4. Verify the setting **Save form entries** is grayed out.
+1. Open Microsoft Edge.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the dropdown list, and select **View Advanced Settings**.
+4. Verify the setting **Save form entries** is grayed out.
@@ -1323,7 +1325,7 @@ If disabled, the browsing history stops saving and is not visible in the History
This policy setting lets you decide whether users can change their search engine. If you disable this setting, users can't add new search engines or change the default used in the address bar.
-Important
+**Important**:
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
If you enable or don't configure this policy, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
@@ -2118,7 +2120,7 @@ The Home button loads either the default Start page, the New tab page, or a URL
-Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (. If enabled and set to 0 (Default or not configured): - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it’s one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge.
+Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (. If enabled and set to 0 (Default or not configured): - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it’s one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge.
@@ -2586,7 +2588,7 @@ This setting lets you configure whether your company uses Enterprise Mode and th
-Important. Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseModeSiteList policy instead.
+**Important**: . Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseModeSiteList policy instead.
@@ -2673,7 +2675,7 @@ Configure first run URL.
-When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: `` `` If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the `` value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages
+When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: `` `` If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the `` value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages
@@ -2734,7 +2736,7 @@ This policy setting lets you decide whether employees can add, import, sort, or
If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
-Important
+**Important**:
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
@@ -3230,7 +3232,7 @@ If you disable or don't configure this setting, employees can ignore Windows Def
-You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN ( - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune ( - How to assign apps to groups with Microsoft Intune ( - Manage apps from the Microsoft Store for Business with System Center Configuration Manager ( - How to add Windows line-of-business (LOB) apps to Microsoft Intune (
+You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8. wekyb3. d8. bbwe;Microsoft.OfficeOnline_8. wekyb3. d8. bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN ( - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune ( - How to assign apps to groups with Microsoft Intune ( - Manage apps from the Microsoft Store for Business with System Center Configuration Manager ( - How to add Windows line-of-business (LOB) apps to Microsoft Intune (
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index c13152ace1..0b979ddd9f 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -4,7 +4,7 @@ description: Learn more about the Connectivity Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/27/2022
+ms.date: 01/04/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - Connectivity
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -194,13 +192,12 @@ If this policy setting is not configured or is disabled, clients are allowed to
**Validate**:
-To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
-To validate on devices, perform the following steps:
+To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. To validate on a device, perform the following steps:
-1. Go to Cellular & SIM.
-2. Click on the SIM (next to the signal strength icon) and select **Properties**.
-3. On the Properties page, select **Data roaming options**.
+1. Go to Cellular & SIM.
+2. Click on the SIM (next to the signal strength icon) and select **Properties**.
+3. On the Properties page, select **Data roaming options**.
@@ -222,7 +219,7 @@ To validate on devices, perform the following steps:
-Note This policy requires reboot to take effect. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
+**Note**: This policy requires reboot to take effect. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
@@ -373,7 +370,6 @@ If you do not configure this policy setting, the default behavior depends on the
**Validate**:
-
If the Connectivity/AllowPhonePCLinking policy is configured to value 0, add a phone button in the Phones section in settings will be grayed out and clicking it will not launch the window for a user to enter their phone number.
Device that has previously opt-in to MMX will also stop showing on the device list.
@@ -398,7 +394,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li
-NoteCurrently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. Most restricted value is 0.
+**Note**: Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. Most restricted value is 0.
@@ -549,7 +545,7 @@ This policy setting specifies whether to allow printing over HTTP from this clie
Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.
-Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
+**Note**: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP.
@@ -573,13 +569,13 @@ Also, see the "Web-based printing" policy setting in Computer Configuration/Admi
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | DisableHTTPPrinting |
+| Name | DisableHTTPPrinting_2 |
| Friendly Name | Turn off printing over HTTP |
| Location | Computer Configuration |
| Path | InternetManagement > Internet Communication settings |
@@ -615,7 +611,7 @@ This policy setting specifies whether to allow this client to download print dri
To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.
-Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally.
+**Note**: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally.
If you enable this policy setting, print drivers cannot be downloaded over HTTP.
@@ -637,13 +633,13 @@ If you disable or do not configure this policy setting, users can download print
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | DisableWebPnPDownload |
+| Name | DisableWebPnPDownload_2 |
| Friendly Name | Turn off downloading of print drivers over HTTP |
| Location | Computer Configuration |
| Path | InternetManagement > Internet Communication settings |
@@ -701,13 +697,13 @@ See the documentation for the web publishing and online ordering wizards for mor
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | ShellPreventWPWDownload |
+| Name | ShellPreventWPWDownload_2 |
| Friendly Name | Turn off Internet download for Web publishing and online ordering wizards |
| Location | Computer Configuration |
| Path | InternetManagement > Internet Communication settings |
@@ -828,7 +824,7 @@ If you enable this policy, Windows only allows access to the specified UNC paths
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -867,7 +863,7 @@ If you enable this policy, Windows only allows access to the specified UNC paths
Determines whether a user can install and configure the Network Bridge.
-Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.
+**Important**: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.
The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder.
@@ -889,7 +885,7 @@ If you disable this setting or do not configure it, the user will be able to cre
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 8407ea5f13..a6e7b49ac7 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -4,7 +4,7 @@ description: Learn more about the DataProtection Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/27/2022
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -37,7 +37,7 @@ ms.topic: reference
-This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker Device Encryption is enabled. Most restricted value is 0.
+This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled. Most restricted value is 0.
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 66ecdcc47e..9443821da7 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -59,6 +59,8 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti
+> [!NOTE]
+> This policy is deprecated.
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 82f614f2ec..bf672dd0df 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -4,7 +4,7 @@ description: Learn more about the DeliveryOptimization Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/27/2022
+ms.date: 01/05/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - DeliveryOptimization
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -102,10 +100,8 @@ The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the
-
-Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network.
-
-This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+
+Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
@@ -239,6 +235,8 @@ If this policy is not configured, the client will attempt to automatically find
+> [!NOTE]
+> If the DHCP Option ID is formatted incorrectly, the client will fall back to the [Cache Server Hostname](#docachehost) policy value if that value has been set.
@@ -293,7 +291,7 @@ This policy allows you to delay the use of an HTTP source in a background downlo
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers.
-Note that a download that is waiting for peer sources, will appear to be stuck for the end user.
+**Note** that a download that is waiting for peer sources, will appear to be stuck for the end user.
The recommended value is 1 hour (3600).
@@ -349,10 +347,10 @@ The recommended value is 1 hour (3600).
-
-Set this policy to delay the fallback from Cache Server to the HTTP source for a background content download by X seconds.
+
+Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download.
-Note: if you set the policy to delay background download from http, it will apply first (to allow downloads from peers first).
+**Note** that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
@@ -406,10 +404,10 @@ Note: if you set the policy to delay background download from http, it will appl
-
-Set this policy to delay the fallback from Cache Server to the HTTP source for a foreground content download by X seconds.
+
+Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download.
-Note: if you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first).
+**Note** that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
@@ -468,7 +466,7 @@ This policy allows you to delay the use of an HTTP source in a foreground (inter
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers.
-Note that a download that is waiting for peer sources, will appear to be stuck for the end user.
+**Note** that a download that is waiting for peer sources, will appear to be stuck for the end user.
The recommended value is 1 minute (60).
@@ -583,22 +581,8 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec
-
-Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
-
-The following list shows the supported values:
-
-0 = HTTP only, no peering.
-
-1 = HTTP blended with peering behind the same NAT.
-
-2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
-
-3 = HTTP blended with Internet Peering.
-
-99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.
-
-100 = Bypass mode. Windows 10: Do not use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead.
+
+Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1.
@@ -669,7 +653,7 @@ Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that
Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN.
-Note: this is a best effort optimization and should not be relied on for an authentication of identity.
+**Note** this is a best effort optimization and should not be relied on for an authentication of identity.
@@ -721,30 +705,14 @@ Note: this is a best effort optimization and should not be relied on for an auth
-
-Set this policy to restrict peer selection to a specific source.
-
-Options available are:
-
-1 = AD Site.
-
-2 = Authenticated domain SID.
-
-3 = DHCP Option ID.
-
-4 = DNS Suffix.
-
-5 = AAD Tenant ID.
-
-When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set.
-
-The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored.
-
-For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
+
+Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+> [!NOTE]
+> The default behavior, when neither the DOGroupId or DOGroupIdSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If DOGroupIdSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead.
@@ -863,10 +831,8 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
-
-Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully.
-
-The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded.
+
+Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days).
@@ -920,8 +886,8 @@ The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files
-
-Specifies the maximum cache size that Delivery Optimization uses as a percentage of available disk size (1-100).
+
+Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20.
@@ -1032,10 +998,8 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
-
-Specifies the minimum download QoS (Quality of Service or speed) for background downloads in KiloBytes/second.
-
-This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from HTTP source to achieve the specified minimum QoS value.
+
+Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s).
@@ -1207,10 +1171,8 @@ Note: If the DOModifyCacheDrive policy is set, the disk size check will apply to
-
-Specifies the minimum content file size in MB enabled to use Peer Caching.
-
-Recommended values: 1 MB to 100000 MB.
+
+Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB.
@@ -1264,12 +1226,8 @@ Recommended values: 1 MB to 100000 MB.
-
-Specifies the minimum RAM size in GB required to use Peer Caching.
-
-For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching.
-
-Recommended values: 1 GB to 4 GB.
+
+Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB.
@@ -1378,10 +1336,8 @@ By default, %SystemDrive% is used to store the cache. The drive location can be
-
-Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
-
-The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
+
+Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit is applied if 0 is set. The default value is 5120 (5 TB).
@@ -1566,6 +1522,9 @@ These options apply to both Download Mode LAN (1) and Group (2).
+If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
+
+In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. The default value in Windows 11 is set to 'Local Peer Discovery'. The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds.
@@ -1643,7 +1602,7 @@ Specifies the maximum background download bandwidth that Delivery Optimization u
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1703,7 +1662,7 @@ This policy allows an IT Admin to define the following details:
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
index bb9af56415..c8b7f8f8f7 100644
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -4,7 +4,7 @@ description: Learn more about the DesktopAppInstaller Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/29/2022
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - DesktopAppInstaller
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -46,11 +44,11 @@ ms.topic: reference
This policy controls additional sources provided by the enterprise IT administrator.
-If you do not configure this policy, no additional sources will be configured for the Windows Package Manager.
+If you do not configure this policy, no additional sources will be configured for the [Windows Package Manager](/windows/package-manager/).
-If you enable this policy, the additional sources will be added to the Windows Package Manager and cannot be removed. The representation for each additional source can be obtained from installed sources using 'winget source export'.
+If you enable this policy, the additional sources will be added to the [Windows Package Manager](/windows/package-manager/) and cannot be removed. The representation for each additional source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'.
-If you disable this policy, no additional sources can be configured for the Windows Package Manager.
+If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/).
@@ -68,7 +66,7 @@ If you disable this policy, no additional sources can be configured for the Wind
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -110,9 +108,9 @@ This policy controls additional sources allowed by the enterprise IT administrat
If you do not configure this policy, users will be able to add or remove additional sources other than those configured by policy.
-If you enable this policy, only the sources specified can be added or removed from the Windows Package Manager. The representation for each allowed source can be obtained from installed sources using 'winget source export'.
+If you enable this policy, only the sources specified can be added or removed from the [Windows Package Manager](/windows/package-manager/). The representation for each allowed source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'.
-If you disable this policy, no additional sources can be configured for the Windows Package Manager.
+If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/).
@@ -130,7 +128,7 @@ If you disable this policy, no additional sources can be configured for the Wind
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -168,11 +166,11 @@ If you disable this policy, no additional sources can be configured for the Wind
-This policy controls whether the Windows Package Manager can be used by users.
+This policy controls whether the [Windows Package Manager](/windows/package-manager/) can be used by users.
-If you enable or do not configure this setting, users will be able to use the Windows Package Manager.
+If you enable or do not configure this setting, users will be able to use the [Windows Package Manager](/windows/package-manager/).
-If you disable this setting, users will not be able to use the Windows Package Manager.
+If you disable this setting, users will not be able to use the [Windows Package Manager](/windows/package-manager/).
@@ -191,7 +189,7 @@ Users will still be able to execute the *winget* command. The default help will
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -229,13 +227,13 @@ Users will still be able to execute the *winget* command. The default help will
-This policy controls the default source included with the Windows Package Manager.
+This policy controls the default source included with the [Windows Package Manager](/windows/package-manager/).
-If you do not configure this setting, the default source for the Windows Package Manager will be available and can be removed.
+If you do not configure this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and can be removed.
-If you enable this setting, the default source for the Windows Package Manager will be available and cannot be removed.
+If you enable this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed.
-If you disable this setting the default source for the Windows Package Manager will not be available.
+If you disable this setting the default source for the [Windows Package Manager](/windows/package-manager/) will not be available.
@@ -253,7 +251,7 @@ If you disable this setting the default source for the Windows Package Manager w
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -291,11 +289,11 @@ If you disable this setting the default source for the Windows Package Manager w
-This policy controls whether users can enable experimental features in the Windows Package Manager.
+This policy controls whether users can enable experimental features in the [Windows Package Manager](/windows/package-manager/).
-If you enable or do not configure this setting, users will be able to enable experimental features for the Windows Package Manager.
+If you enable or do not configure this setting, users will be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/).
-If you disable this setting, users will not be able to enable experimental features for the Windows Package Manager.
+If you disable this setting, users will not be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/).
@@ -314,7 +312,7 @@ Experimental features are used during Windows Package Manager development cycle
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -352,11 +350,11 @@ Experimental features are used during Windows Package Manager development cycle
-This policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings.
+This policy controls whether or not the [Windows Package Manager](/windows/package-manager/) can be configured to enable the ability override the SHA256 security validation in settings.
-If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings.
+If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings.
-If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings.
+If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings.
@@ -374,7 +372,7 @@ If you disable this policy, users will not be able to enable the ability overrid
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -414,9 +412,9 @@ If you disable this policy, users will not be able to enable the ability overrid
This policy controls whether users can install packages with local manifest files.
-If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
+If you enable or do not configure this setting, users will be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/).
-If you disable this setting, users will not be able to install packages with local manifests using the Windows Package Manager.
+If you disable this setting, users will not be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/).
@@ -434,7 +432,7 @@ If you disable this setting, users will not be able to install packages with loc
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -472,13 +470,13 @@ If you disable this setting, users will not be able to install packages with loc
-This policy controls the Microsoft Store source included with the Windows Package Manager.
+This policy controls the Microsoft Store source included with the [Windows Package Manager](/windows/package-manager/).
If you do not configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed.
-If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available and cannot be removed.
+If you enable this setting, the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed.
-If you disable this setting the Microsoft Store source for the Windows Package Manager will not be available.
+If you disable this setting the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will not be available.
@@ -496,7 +494,7 @@ If you disable this setting the Microsoft Store source for the Windows Package M
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -556,7 +554,7 @@ If you disable this setting, users will not be able to install packages from web
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -596,9 +594,9 @@ If you disable this setting, users will not be able to install packages from web
This policy controls whether users can change their settings.
-If you enable or do not configure this setting, users will be able to change settings for the Windows Package Manager.
+If you enable or do not configure this setting, users will be able to change settings for the [Windows Package Manager](/windows/package-manager/).
-If you disable this setting, users will not be able to change settings for the Windows Package Manager.
+If you disable this setting, users will not be able to change settings for the [Windows Package Manager](/windows/package-manager/).
@@ -617,7 +615,7 @@ The settings are stored inside of a .json file on the user’s system. It may be
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -657,13 +655,14 @@ The settings are stored inside of a .json file on the user’s system. It may be
This policy controls the auto update interval for package-based sources.
-If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the Windows Package Manager.
+If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the [Windows Package Manager](/windows/package-manager/).
-If you enable this setting, the number of minutes specified will be used by the Windows Package Manager.
+If you enable this setting, the number of minutes specified will be used by the [Windows Package Manager](/windows/package-manager/).
+The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources.
@@ -677,7 +676,7 @@ If you enable this setting, the number of minutes specified will be used by the
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index ea11b5d336..7eb40161d8 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -4,7 +4,7 @@ description: Learn more about the DeviceInstallation Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/29/2022
+ms.date: 01/05/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - DeviceInstallation
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -76,7 +74,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -176,7 +174,7 @@ Peripherals can be specified by their [device instance ID](/windows-hardware/dri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -215,7 +213,11 @@ To enable this policy, use the following SyncML.
```
+
+**Verify**:
+
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
+
``` txt
>>> [Device Installation Restrictions Policy Check]
>>> Section start 2018/11/15 12:26:41.659
@@ -276,7 +278,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -303,7 +305,6 @@ To enable this policy, use the following SyncML. This example allows Windows to
Enclose the class GUID within curly brackets {}. To configure multiple classes, use `` as a delimiter.
-
```xml
@@ -322,11 +323,11 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes,
```
+
**Verify**:
To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
-
```txt
>>> [Device Installation Restrictions Policy Check]
>>> Section start 2018/11/15 12:26:41.659
@@ -359,18 +360,22 @@ This policy setting will change the evaluation order in which Allow and Prevent
Device instance IDs > Device IDs > Device setup class > Removable devices
Device instance IDs
+
1. Prevent installation of devices using drivers that match these device instance IDs
2. Allow installation of devices using drivers that match these device instance IDs
Device IDs
+
3. Prevent installation of devices using drivers that match these device IDs
4. Allow installation of devices using drivers that match these device IDs
Device setup class
+
5. Prevent installation of devices using drivers that match these device setup classes
6. Allow installation of devices using drivers that match these device setup classes
Removable devices
+
7. Prevent installation of removable devices
NOTE: This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
@@ -393,7 +398,7 @@ If you disable or do not configure this policy setting, the default evaluation i
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -430,6 +435,7 @@ If you disable or do not configure this policy setting, the default evaluation i
```
+
**Verify**:
To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
@@ -444,8 +450,6 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
You can also change the evaluation order of device installation policy settings by using a custom profile in Intune.
:::image type="content" source="images/edit-row.png" alt-text="This image is an edit row image.":::
-
-
@@ -489,7 +493,7 @@ If you disable or do not configure this policy setting, the setting in the Devic
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -551,7 +555,7 @@ If you disable or do not configure this policy setting, Windows is allowed to in
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -651,7 +655,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -670,8 +674,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv
**Example**:
-To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use  as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true.
-
+To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true.
```xml
@@ -752,7 +755,7 @@ Peripherals can be specified by their [device instance ID](/windows-hardware/dri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -792,7 +795,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f
```
-**Verify**
+**Verify**:
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
@@ -812,15 +815,12 @@ For example, this custom profile prevents installation of devices with matching
To prevent installation of devices with matching device instance IDs by using custom profile in Intune:
1. Locate the device instance ID.
-2. Replace `&` in the device instance IDs with `&`.
-For example:
-Replace
-```USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0```
-with
-```USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0```
- > [!Note]
- > don't use spaces in the value.
-3. Replace the device instance IDs with `&` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile.
+1. Replace `&` in the device instance IDs with `&`. For example: Replace `USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0` with `USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0`.
+
+ > [!NOTE]
+ > Don't use spaces in the value.
+
+1. Replace the device instance IDs with `&` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile.
@@ -868,7 +868,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index bc7b915aea..a4d1b7fa2a 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -4,7 +4,7 @@ description: Learn more about the DeviceLock Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/29/2022
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,15 +17,13 @@ ms.topic: reference
# Policy CSP - DeviceLock
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-[!Important]
+> [!IMPORTANT]
> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types).
@@ -156,10 +154,10 @@ Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the de
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
+
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
-For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
@@ -211,16 +209,11 @@ Determines the type of PIN or password required. This policy only applies if the
> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education).
-
-
+> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
+> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
> [!NOTE]
-> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
->
-> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
+> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education).
@@ -246,48 +239,6 @@ Determines the type of PIN or password required. This policy only applies if the
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
-
-
-
-Max policy value is the most restricted.
-
-For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
-
-
-
-The following list shows the supported values:
-
-- An integer X where 4 <= X <= 16 for client devices. However, local accounts will always enforce a minimum password length of 6.
-- Not enforced.
-- The default value is 4 for client devices.
-
-
-
-The following example shows how to set the minimum password length to 4 characters.
-
-```xml
-
-
-
- $CmdID$
- -
-
- ./Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength
-
-
- int
-
- 4
-
-
-
-
-
-```
@@ -309,7 +260,8 @@ The following example shows how to set the minimum password length to 4 characte
-Store passwords using reversible encryption This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).
+Store passwords using reversible encryption
+This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).
@@ -365,43 +317,38 @@ Specifies whether device lock is enabled.
> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
+> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions.
> [!IMPORTANT]
> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect:
>
-> - AllowSimpleDevicePassword
-> - MinDevicePasswordLength
-> - AlphanumericDevicePasswordRequired
-> - MaxDevicePasswordFailedAttempts
-> - MaxInactivityTimeDeviceLock
-> - MinDevicePasswordComplexCharacters
-
-
-> [!IMPORTANT]
+> - AllowSimpleDevicePassword
+> - MinDevicePasswordLength
+> - AlphanumericDevicePasswordRequired
+> - MaxDevicePasswordFailedAttempts
+> - MaxInactivityTimeDeviceLock
+> - MinDevicePasswordComplexCharacters
+>
> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set:
>
-> - MinDevicePasswordLength is set to 4
-> - MinDevicePasswordComplexCharacters is set to 1
+> - MinDevicePasswordLength is set to 4
+> - MinDevicePasswordComplexCharacters is set to 1
>
> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0:
>
-> - MinDevicePasswordLength
-> - MinDevicePasswordComplexCharacters
-
-> [!Important]
-> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
-> - **DevicePasswordEnabled** is the parent policy of the following:
-> - AllowSimpleDevicePassword
-> - MinDevicePasswordLength
-> - AlphanumericDevicePasswordRequired
-> - MinDevicePasswordComplexCharacters
-> - DevicePasswordExpiration
-> - DevicePasswordHistory
-> - MaxDevicePasswordFailedAttempts
-> - MaxInactivityTimeDeviceLock
+> - MinDevicePasswordLength
+> - MinDevicePasswordComplexCharacters
+>
+> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for backward compatibility with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1), it should be the only policy set from the DeviceLock group of policies listed below:
+>
+> - AllowSimpleDevicePassword
+> - MinDevicePasswordLength
+> - AlphanumericDevicePasswordRequired
+> - MinDevicePasswordComplexCharacters
+> - DevicePasswordExpiration
+> - DevicePasswordHistory
+> - MaxDevicePasswordFailedAttempts
+> - MaxInactivityTimeDeviceLock
@@ -452,6 +399,10 @@ Specifies when the password expires (in days).
+If all policy values = 0, then 0; otherwise, Min policy value is the most secure value.
+
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
+
> [!NOTE]
> This policy must be wrapped in an Atomic command.
@@ -470,20 +421,6 @@ Specifies when the password expires (in days).
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-If all policy values = 0, then 0; otherwise, Min policy value is the most secure value.
-
-For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
-
-
-
-The following list shows the supported values:
-
-- An integer X where 0 <= X <= 730.
-- 0 (default) - Passwords don't expire.
@@ -510,21 +447,14 @@ Specifies how many passwords can be stored in the history that can’t be used.
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords.
Max policy value is the most restricted.
For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
-
-
-The following list shows the supported values:
-
-- An integer X where 0 <= X <= 50.
-- 0 (default)
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
@@ -641,15 +571,11 @@ Specifies the default lock screen and logon image shown when no user is signed i
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
-**Note**: This policy must be wrapped in an Atomic command. This policy has different behaviors on the mobile device and desktop. On a mobile device, when the user reaches the value set by this policy, then the device is wiped. On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see Exchange ActiveSync Policy Engine Overview.
+**Note**: This policy must be wrapped in an Atomic command. This policy has different behaviors on the mobile device and desktop. On a mobile device, when the user reaches the value set by this policy, then the device is wiped. On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
-The following list shows the supported values:
-
-- An integer X where 4 <= X <= 16 for client devices.
-- 0 (default) - The device is never wiped after an incorrect PIN or password is entered.
@@ -687,9 +613,7 @@ The following list shows the supported values:
-This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.
-
-**Note**: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default: 42.
+This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days. Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default: 42.
@@ -744,6 +668,12 @@ The number of authentication failures allowed before the device will be wiped. A
+Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
+
+On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
@@ -827,45 +757,32 @@ The number of complex element types (uppercase and lowercase letters, numbers, a
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
-
-PIN enforces the following behavior for client devices:
-
-- 1 - Digits only
-- 2 - Digits and lowercase letters are required
-- 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts.
-- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or HoloLens.
-
-The default value is 1. The following list shows the supported values and actual enforced values:
-
-|Account Type|Supported Values|Actual Enforced Values|
-|--- |--- |--- |
-|Local Accounts|1,2,3|3|
-|Microsoft Accounts|1,2|<p2|
-|Domain Accounts|Not supported|Not supported|
+The following list shows the supported values and actual enforced values:
+| Account Type | Supported Values | Actual Enforced Values |
+|--------------------|------------------|------------------------|
+| Local Accounts | 1,2,3 | 3 |
+| Microsoft Accounts | 1,2 | <p2 |
+| Domain Accounts | Not supported | Not supported |
Enforced values for Local and Microsoft Accounts:
-- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
-- Passwords for local accounts must meet the following minimum requirements:
-
- - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
- - Be at least six characters in length
- - Contain characters from three of the following four categories:
-
- - English uppercase characters (A through Z)
- - English lowercase characters (a through z)
- - Base 10 digits (0 through 9)
- - Special characters (!, $, \#, %, etc.)
+- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
+- Passwords for local accounts must meet the following minimum requirements:
+ - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
+ - Be at least six characters in length
+ - Contain characters from three of the following four categories:
+ - English uppercase characters (A through Z)
+ - English lowercase characters (a through z)
+ - Base 10 digits (0 through 9)
+ - Special characters (!, $, \#, %, etc.)
The enforcement of policies for Microsoft accounts happens on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+> [!NOTE]
+> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions.
@@ -918,7 +835,12 @@ Specifies the minimum number or characters required in the PIN or password.
+Max policy value is the most restricted.
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions.
@@ -935,27 +857,6 @@ Specifies the minimum number or characters required in the PIN or password.
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
-
-
-
-Max policy value is the most restricted.
-
-For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
-
-
-
-The following list shows the supported values:
-
-- An integer X where 4 <= X <= 16 for client devices. However, local accounts will always enforce a minimum password length of 6.
-- Not enforced.
-- The default value is 4 for client devices.
-
-
-
**Example**:
The following example shows how to set the minimum password length to 4 characters.
@@ -1050,11 +951,23 @@ This security setting determines the period of time (in days) that a password mu
-Password must meet complexity requirements This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created.
+Password must meet complexity requirements
+This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created.
+Password must meet complexity requirements. This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements:
+
+- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
+- Be at least six characters in length
+- Contain characters from three of the following four categories:
+ - English uppercase characters (A through Z)
+ - English lowercase characters (a through z)
+ - Base 10 digits (0 through 9)
+ - Non-alphabetic characters (for example, !, $, #, %)
+
+Complexity requirements are enforced when passwords are changed or created.
@@ -1100,9 +1013,8 @@ Password must meet complexity requirements This security setting determines whet
-Minimum password length This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required.
-
-**Note**: By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting.
+Minimum password length
+This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required. Note: By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting.
@@ -1174,7 +1086,7 @@ If you enable this setting, users will no longer be able to enable or disable lo
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1234,7 +1146,7 @@ If you enable this setting, users will no longer be able to modify slide show se
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index 56f1f619a0..44c3dc7d33 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -4,7 +4,7 @@ description: Learn more about the EventLogService Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/29/2022
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - EventLogService
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -50,7 +48,7 @@ If you enable this policy setting and a log file reaches its maximum size, new e
If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
-Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
+**Note**: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
@@ -68,13 +66,13 @@ Note: Old events may or may not be retained according to the "Backup log automat
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | Channel_Log_Retention |
+| Name | Channel_Log_Retention_1 |
| Friendly Name | Control Event Log behavior when the log file reaches its maximum size |
| Location | Computer Configuration |
| Path | Windows Components > Event Log Service > Application |
@@ -128,13 +126,13 @@ If you disable or do not configure this policy setting, the maximum size of the
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | Channel_LogMaxSize |
+| Name | Channel_LogMaxSize_1 |
| Friendly Name | Specify the maximum log file size (KB) |
| Location | Computer Configuration |
| Path | Windows Components > Event Log Service > Application |
@@ -187,13 +185,13 @@ If you disable or do not configure this policy setting, the maximum size of the
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | Channel_LogMaxSize |
+| Name | Channel_LogMaxSize_2 |
| Friendly Name | Specify the maximum log file size (KB) |
| Location | Computer Configuration |
| Path | Windows Components > Event Log Service > Security |
@@ -246,13 +244,13 @@ If you disable or do not configure this policy setting, the maximum size of the
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | Channel_LogMaxSize |
+| Name | Channel_LogMaxSize_4 |
| Friendly Name | Specify the maximum log file size (KB) |
| Location | Computer Configuration |
| Path | Windows Components > Event Log Service > System |
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index 56af7d7e93..beec4bf3cb 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -4,7 +4,7 @@ description: Learn more about the Experience Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/29/2022
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -84,11 +84,11 @@ Policy change takes effect immediately.
**Validate**:
-1. Configure Experiences/AllowClipboardHistory to 0.
+1. Configure Experience/AllowClipboardHistory to 0.
1. Open Notepad (or any editor app), select a text, and copy it to the clipboard.
1. Press Win+V to open the clipboard history UI.
1. You shouldn't see any clipboard item including current item you copied.
-1. The setting under Settings App->System->Clipboard should be grayed out with policy warning.
+1. The setting under Settings App -> System -> Clipboard should be grayed out with policy warning.
@@ -282,7 +282,7 @@ This policy turns on Find My Device.
When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. On devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer.
-When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work.The user will also not be able to view the location of the last use of their active digitizer on their device.
+When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. The user will also not be able to view the location of the last use of their active digitizer on their device.
@@ -546,7 +546,7 @@ This policy is deprecated.
-Allow SIM error diaglog prompts when no SIM is inserted.
+Allow SIM error dialog prompts when no SIM is inserted.
@@ -578,6 +578,65 @@ Allow SIM error diaglog prompts when no SIM is inserted.
+
+## AllowSpotlightCollection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Experience/AllowSpotlightCollection
+```
+
+
+
+
+Specifies whether Spotlight collection is allowed as a Personalization->Background Setting. If you enable this policy setting, Spotlight collection will show as an option in the user's Personalization Settings, and the user will be able to get daily images from Microsoft displayed on their desktop. If you disable this policy setting, Spotlight collection will not show as an option in Personalization Settings, and the user will not have the choice of getting Microsoft daily images shown on their desktop.
+
+
+
+
+The following list shows the supported values:
+
+- When set to 0, Spotlight collection will not show as an option in Personalization Settings and therefore be unavailable on Desktop.
+- When set to 1 (default), Spotlight collection will show as an option in Personalization Settings and therefore be available on Desktop, allowing Desktop to refresh for daily images from Microsoft.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableSpotlightCollectionOnDesktop |
+| Friendly Name | Turn off Spotlight collection on Desktop |
+| Location | User Configuration |
+| Path | Windows Components > Cloud Content |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent |
+| Registry Value Name | DisableSpotlightCollectionOnDesktop |
+| ADMX File Name | CloudContent.admx |
+
+
+
+
+
+
+
+
## AllowSyncMySettings
@@ -595,7 +654,7 @@ Allow SIM error diaglog prompts when no SIM is inserted.
-Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see About sync setting on Windows 10 devices.
+Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
@@ -627,6 +686,72 @@ Allows or disallows all Windows sync settings on the device. For information abo
+
+## AllowTailoredExperiencesWithDiagnosticData
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Experience/AllowTailoredExperiencesWithDiagnosticData
+```
+
+
+
+
+This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. Diagnostic data can include browser, app and feature usage, depending on the Diagnostic and usage data setting value.
+
+**Note**: This setting does not control Cortana cutomized experiences because there are separate policies to configure it. Most restricted value is 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+| Dependency [Experience_AllowTailoredExperiencesWithDiagnosticData_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableTailoredExperiencesWithDiagnosticData |
+| Friendly Name | Do not use diagnostic data for tailored experiences |
+| Location | User Configuration |
+| Path | Windows Components > Cloud Content |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent |
+| Registry Value Name | DisableTailoredExperiencesWithDiagnosticData |
+| ADMX File Name | CloudContent.admx |
+
+
+
+
+
+
+
+
## AllowTaskSwitcher
@@ -679,6 +804,70 @@ This policy is deprecated.
+
+## AllowThirdPartySuggestionsInWindowsSpotlight
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Experience/AllowThirdPartySuggestionsInWindowsSpotlight
+```
+
+
+
+
+Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+| Dependency [Experience_AllowThirdPartySuggestionsInWindowsSpotlight_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Third-party suggestions not allowed. |
+| 1 (Default) | Third-party suggestions allowed. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableThirdPartySuggestions |
+| Friendly Name | Do not suggest third-party content in Windows spotlight |
+| Location | User Configuration |
+| Path | Windows Components > Cloud Content |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent |
+| Registry Value Name | DisableThirdPartySuggestions |
+| ADMX File Name | CloudContent.admx |
+
+
+
+
+
+
+
+
## AllowVoiceRecording
@@ -795,766 +984,6 @@ Prior to Windows 10, version 1803, this policy had User scope. This policy allow
-
-## AllowWindowsTips
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Experience/AllowWindowsTips
-```
-
-
-
-
-Enables or disables Windows Tips / soft landing.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 1 |
-| Dependency [Experience_AllowWindowsTips_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 | Disabled. |
-| 1 (Default) | Enabled. |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | DisableSoftLanding |
-| Friendly Name | Do not show Windows tips |
-| Location | Computer Configuration |
-| Path | Windows Components > Cloud Content |
-| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent |
-| Registry Value Name | DisableSoftLanding |
-| ADMX File Name | CloudContent.admx |
-
-
-
-
-
-
-
-
-
-## ConfigureChatIcon
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Experience/ConfigureChatIcon
-```
-
-
-
-
-Configures the Chat icon on the taskbar
-
-
-
-
-> [!NOTE]
-> Option 1 (Show) and Option 2 (Hide) only work on the first sign-in attempt. Option 3 (Disabled) works on all attempts.
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 0 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | Not Configured |
-| 1 | Show |
-| 2 | Hide |
-| 3 | Disabled |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | ConfigureChatIcon |
-| Friendly Name | Configures the Chat icon on the taskbar |
-| Element Name | State |
-| Location | Computer Configuration |
-| Path | Windows Components > Chat |
-| Registry Key Name | Software\Policies\Microsoft\Windows\Windows Chat |
-| ADMX File Name | Taskbar.admx |
-
-
-
-
-
-
-
-
-
-## DisableCloudOptimizedContent
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Experience/DisableCloudOptimizedContent
-```
-
-
-
-
-This policy setting lets you turn off cloud optimized content in all Windows experiences.
-
-If you enable this policy, Windows experiences that use the cloud optimized content client component, will instead present the default fallback content.
-
-If you disable or do not configure this policy, Windows experiences will be able to use cloud optimized content.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 0 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | Disabled. |
-| 1 | Enabled. |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | DisableCloudOptimizedContent |
-| Friendly Name | Turn off cloud optimized content |
-| Location | Computer Configuration |
-| Path | Windows Components > Cloud Content |
-| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent |
-| Registry Value Name | DisableCloudOptimizedContent |
-| ADMX File Name | CloudContent.admx |
-
-
-
-
-
-
-
-
-
-## DisableConsumerAccountStateContent
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Experience/DisableConsumerAccountStateContent
-```
-
-
-
-
-This policy setting lets you turn off cloud consumer account state content in all Windows experiences.
-
-If you enable this policy, Windows experiences that use the cloud consumer account state content client component, will instead present the default fallback content.
-
-If you disable or do not configure this policy, Windows experiences will be able to use cloud consumer account state content.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 0 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | Disabled. |
-| 1 | Enabled. |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | DisableConsumerAccountStateContent |
-| Friendly Name | Turn off cloud consumer account state content |
-| Location | Computer Configuration |
-| Path | Windows Components > Cloud Content |
-| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent |
-| Registry Value Name | DisableConsumerAccountStateContent |
-| ADMX File Name | CloudContent.admx |
-
-
-
-
-
-
-
-
-
-## DoNotShowFeedbackNotifications
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Experience/DoNotShowFeedbackNotifications
-```
-
-
-
-
-This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft.
-
-If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app.
-
-If you disable or do not configure this policy setting, users may see notifications through the Windows Feedback app asking users for feedback.
-
-Note: If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 0 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. |
-| 1 | Feedback notifications are disabled. |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | DoNotShowFeedbackNotifications |
-| Friendly Name | Do not show feedback notifications |
-| Location | Computer Configuration |
-| Path | WindowsComponents > Data Collection and Preview Builds |
-| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
-| Registry Value Name | DoNotShowFeedbackNotifications |
-| ADMX File Name | FeedbackNotifications.admx |
-
-
-
-
-
-
-
-
-
-## DoNotSyncBrowserSettings
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings
-```
-
-
-
-
-Prevent the "browser" group from syncing to and from this PC. This turns off and disables the "browser" group on the "sync your settings" page in PC settings. The "browser" group contains settings and info like history and favorites.
-
-If you enable this policy setting, the "browser" group, including info like history and favorites, will not be synced.
-
-Use the option "Allow users to turn browser syncing on" so that syncing is turned off by default but not disabled.
-
-If you do not set or disable this setting, syncing of the "browser" group is on by default and configurable by the user.
-
-
-
-
-Related policy:
- [PreventUsersFromTurningOnBrowserSyncing](#experience-preventusersfromturningonbrowsersyncing)
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 0 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 2 | Disable Syncing |
-| 0 (Default) | Allow syncing |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | DisableWebBrowserSettingSync |
-| Friendly Name | Do not sync browser settings |
-| Location | Computer Configuration |
-| Path | Windows Components > Sync your settings |
-| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync |
-| Registry Value Name | DisableWebBrowserSettingSync |
-| ADMX File Name | SettingSync.admx |
-
-
-
-
-_**Sync the browser settings automatically**_
-
- Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
-
-_**Prevent syncing of browser settings and prevent users from turning it on**_
-
-1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
-2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
-
-_**Prevent syncing of browser settings and let users turn on syncing**_
-
-1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
-2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
-
-_**Turn syncing off by default but don’t disable**_
-
- Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off) and select the _Allow users to turn “browser” syncing_ option.
-
-
-
-
-
-## PreventUsersFromTurningOnBrowserSyncing
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing
-```
-
-
-
-
-You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. Related policy: DoNotSyncBrowserSettings 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing
-
-
-
-
-Related policy:
- [DoNotSyncBrowserSettings](#experience-donotsyncbrowsersetting)
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 1 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 | Allowed/turned on. Users can sync the browser settings. |
-| 1 (Default) | Prevented/turned off. |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | DisableWebBrowserSettingSync |
-| Friendly Name | Do not sync browser settings |
-| Element Name | Allow users to turn "browser" syncing on. |
-| Location | Computer Configuration |
-| Path | Windows Components > Sync your settings |
-| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync |
-| ADMX File Name | SettingSync.admx |
-
-
-
-
-**Examples**:
-
-_**Sync the browser settings automatically**_
-
- Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
-
-_**Prevent syncing of browser settings and prevent users from turning it on**_
-
-1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
-2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
-
-_**Prevent syncing of browser settings and let users turn on syncing**_
-
-1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
-2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
-
-**Validate**:
-
-1. Select **More > Settings**.
-1. See, if the setting is enabled or disabled based on your selection.
-
-
-
-
-
-## ShowLockOnUserTile
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Experience/ShowLockOnUserTile
-```
-
-
-
-
-Shows or hides lock from the user tile menu.
-If you enable this policy setting, the lock option will be shown in the User Tile menu.
-
-If you disable this policy setting, the lock option will never be shown in the User Tile menu.
-
-If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 1 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 | The lock option is not displayed in the User Tile menu. |
-| 1 (Default) | The lock option is displayed in the User Tile menu. |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | ShowLockOption |
-| Friendly Name | Show lock in the user tile menu |
-| Location | Computer Configuration |
-| Path | WindowsComponents > File Explorer |
-| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
-| Registry Value Name | ShowLockOption |
-| ADMX File Name | WindowsExplorer.admx |
-
-
-
-
-
-
-
-
-
-## AllowSpotlightCollection
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/Experience/AllowSpotlightCollection
-```
-
-
-
-
-Specifies whether Spotlight collection is allowed as a Personalization->Background Setting. If you enable this policy setting, Spotlight collection will show as an option in the user's Personalization Settings, and the user will be able to get daily images from Microsoft displayed on their desktop. If you disable this policy setting, Spotlight collection will not show as an option in Personliazation Settings, and the user will not have the choice of getting Microsoft daily images shown on their desktop.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
-| Default Value | 1 |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | DisableSpotlightCollectionOnDesktop |
-| Friendly Name | Turn off Spotlight collection on Desktop |
-| Location | User Configuration |
-| Path | Windows Components > Cloud Content |
-| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent |
-| Registry Value Name | DisableSpotlightCollectionOnDesktop |
-| ADMX File Name | CloudContent.admx |
-
-
-
-
-
-
-
-
-
-## AllowTailoredExperiencesWithDiagnosticData
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/Experience/AllowTailoredExperiencesWithDiagnosticData
-```
-
-
-
-
-This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. Diagnostic data can include browser, app and feature usage, depending on the Diagnostic and usage data setting value.
-
-**Note**: This setting does not control Cortana cutomized experiences because there are separate policies to configure it. Most restricted value is 0.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 1 |
-| Dependency [Experience_AllowTailoredExperiencesWithDiagnosticData_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 | Not allowed. |
-| 1 (Default) | Allowed. |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | DisableTailoredExperiencesWithDiagnosticData |
-| Friendly Name | Do not use diagnostic data for tailored experiences |
-| Location | User Configuration |
-| Path | Windows Components > Cloud Content |
-| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent |
-| Registry Value Name | DisableTailoredExperiencesWithDiagnosticData |
-| ADMX File Name | CloudContent.admx |
-
-
-
-
-
-
-
-
-
-## AllowThirdPartySuggestionsInWindowsSpotlight
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/Experience/AllowThirdPartySuggestionsInWindowsSpotlight
-```
-
-
-
-
-Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 1 |
-| Dependency [Experience_AllowThirdPartySuggestionsInWindowsSpotlight_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 | Third-party suggestions not allowed. |
-| 1 (Default) | Third-party suggestions allowed. |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | DisableThirdPartySuggestions |
-| Friendly Name | Do not suggest third-party content in Windows spotlight |
-| Location | User Configuration |
-| Path | Windows Components > Cloud Content |
-| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent |
-| Registry Value Name | DisableThirdPartySuggestions |
-| ADMX File Name | CloudContent.admx |
-
-
-
-
-
-
-
-
## AllowWindowsSpotlight
@@ -1809,6 +1238,137 @@ This policy setting lets you turn off the Windows spotlight Windows welcome expe
+
+## AllowWindowsTips
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Experience/AllowWindowsTips
+```
+
+
+
+
+Enables or disables Windows Tips / soft landing.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+| Dependency [Experience_AllowWindowsTips_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disabled. |
+| 1 (Default) | Enabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableSoftLanding |
+| Friendly Name | Do not show Windows tips |
+| Location | Computer Configuration |
+| Path | Windows Components > Cloud Content |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent |
+| Registry Value Name | DisableSoftLanding |
+| ADMX File Name | CloudContent.admx |
+
+
+
+
+
+
+
+
+
+## ConfigureChatIcon
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Experience/ConfigureChatIcon
+```
+
+
+
+
+Configures the Chat icon on the taskbar
+
+
+
+
+> [!NOTE]
+> Option 1 (Show) and Option 2 (Hide) only work on the first sign-in attempt. Option 3 (Disabled) works on all attempts.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not Configured |
+| 1 | Show |
+| 2 | Hide |
+| 3 | Disabled |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ConfigureChatIcon |
+| Friendly Name | Configures the Chat icon on the taskbar |
+| Element Name | State |
+| Location | Computer Configuration |
+| Path | Windows Components > Chat |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Windows Chat |
+| ADMX File Name | Taskbar.admx |
+
+
+
+
+
+
+
+
## ConfigureWindowsSpotlightOnLockScreen
@@ -1836,7 +1396,8 @@ If you disable this policy setting, Windows spotlight will be turned off and use
If you do not configure this policy, Windows spotlight will be available on the lock screen and will be selected by default, unless you have configured another default lock screen image using the "Force a specific default lock screen and logon image" policy.
-Note: This policy is only available for Enterprise SKUs
+> [!NOTE]
+> This policy is only available for Enterprise SKUs
@@ -1885,6 +1446,297 @@ Note: This policy is only available for Enterprise SKUs
+
+## DisableCloudOptimizedContent
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Experience/DisableCloudOptimizedContent
+```
+
+
+
+
+This policy setting lets you turn off cloud optimized content in all Windows experiences.
+
+If you enable this policy, Windows experiences that use the cloud optimized content client component, will instead present the default fallback content.
+
+If you disable or do not configure this policy, Windows experiences will be able to use cloud optimized content.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableCloudOptimizedContent |
+| Friendly Name | Turn off cloud optimized content |
+| Location | Computer Configuration |
+| Path | Windows Components > Cloud Content |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent |
+| Registry Value Name | DisableCloudOptimizedContent |
+| ADMX File Name | CloudContent.admx |
+
+
+
+
+
+
+
+
+
+## DisableConsumerAccountStateContent
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Experience/DisableConsumerAccountStateContent
+```
+
+
+
+
+This policy setting lets you turn off cloud consumer account state content in all Windows experiences.
+
+If you enable this policy, Windows experiences that use the cloud consumer account state content client component, will instead present the default fallback content.
+
+If you disable or do not configure this policy, Windows experiences will be able to use cloud consumer account state content.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableConsumerAccountStateContent |
+| Friendly Name | Turn off cloud consumer account state content |
+| Location | Computer Configuration |
+| Path | Windows Components > Cloud Content |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent |
+| Registry Value Name | DisableConsumerAccountStateContent |
+| ADMX File Name | CloudContent.admx |
+
+
+
+
+
+
+
+
+
+## DoNotShowFeedbackNotifications
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Experience/DoNotShowFeedbackNotifications
+```
+
+
+
+
+This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft.
+
+If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app.
+
+If you disable or do not configure this policy setting, users may see notifications through the Windows Feedback app asking users for feedback.
+
+> [!NOTE]
+> If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. |
+| 1 | Feedback notifications are disabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DoNotShowFeedbackNotifications |
+| Friendly Name | Do not show feedback notifications |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| Registry Value Name | DoNotShowFeedbackNotifications |
+| ADMX File Name | FeedbackNotifications.admx |
+
+
+
+
+
+
+
+
+
+## DoNotSyncBrowserSettings
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings
+```
+
+
+
+
+Prevent the "browser" group from syncing to and from this PC. This turns off and disables the "browser" group on the "sync your settings" page in PC settings. The "browser" group contains settings and info like history and favorites.
+
+If you enable this policy setting, the "browser" group, including info like history and favorites, will not be synced.
+
+Use the option "Allow users to turn browser syncing on" so that syncing is turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "browser" group is on by default and configurable by the user.
+
+
+
+
+Related policy: [PreventUsersFromTurningOnBrowserSyncing](#preventusersfromturningonbrowsersyncing)
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 2 | Disable Syncing |
+| 0 (Default) | Allow syncing |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableWebBrowserSettingSync |
+| Friendly Name | Do not sync browser settings |
+| Location | Computer Configuration |
+| Path | Windows Components > Sync your settings |
+| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync |
+| Registry Value Name | DisableWebBrowserSettingSync |
+| ADMX File Name | SettingSync.admx |
+
+
+
+
+_**Sync the browser settings automatically**_
+
+ Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
+
+_**Prevent syncing of browser settings and prevent users from turning it on**_
+
+1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
+2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
+
+_**Prevent syncing of browser settings and let users turn on syncing**_
+
+1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
+2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
+
+_**Turn syncing off by default but don’t disable**_
+
+ Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off) and select the _Allow users to turn “browser” syncing_ option.
+
+
+
+
## EnableOrganizationalMessages
@@ -1934,6 +1786,160 @@ Organizational messages allow Administrators to deliver messages to their end us
+
+## PreventUsersFromTurningOnBrowserSyncing
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing
+```
+
+
+
+
+You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings.
+Related policy: DoNotSyncBrowserSettings
+1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing
+
+
+
+
+By default, the "browser" group syncs automatically between the user's devices, letting users make changes. With this policy though, you can prevent the "browser" group from syncing and prevent users from turning on the **Sync your Settings** toggle in Settings. If you want syncing turned off by default but not disabled, select the **Allow syncing** option in the [DoNotSyncBrowserSettings](#donotsyncbrowsersettings). For this policy to work correctly, you must enable the DoNotSyncBrowserSettings policy.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Allowed/turned on. Users can sync the browser settings. |
+| 1 (Default) | Prevented/turned off. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableWebBrowserSettingSync |
+| Friendly Name | Do not sync browser settings |
+| Element Name | Allow users to turn "browser" syncing on. |
+| Location | Computer Configuration |
+| Path | Windows Components > Sync your settings |
+| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync |
+| ADMX File Name | SettingSync.admx |
+
+
+
+
+**Examples**:
+
+_**Sync the browser settings automatically**_
+
+ Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
+
+_**Prevent syncing of browser settings and prevent users from turning it on**_
+
+1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
+2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
+
+_**Prevent syncing of browser settings and let users turn on syncing**_
+
+1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
+2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
+
+**Validate**:
+
+1. Select **More > Settings**.
+1. See, if the setting is enabled or disabled based on your selection.
+
+
+
+
+
+## ShowLockOnUserTile
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Experience/ShowLockOnUserTile
+```
+
+
+
+
+Shows or hides lock from the user tile menu.
+If you enable this policy setting, the lock option will be shown in the User Tile menu.
+
+If you disable this policy setting, the lock option will never be shown in the User Tile menu.
+
+If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | The lock option is not displayed in the User Tile menu. |
+| 1 (Default) | The lock option is displayed in the User Tile menu. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ShowLockOption |
+| Friendly Name | Show lock in the user tile menu |
+| Location | Computer Configuration |
+| Path | WindowsComponents > File Explorer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
+| Registry Value Name | ShowLockOption |
+| ADMX File Name | WindowsExplorer.admx |
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 1b914b6115..1f4ded5adf 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -4,7 +4,7 @@ description: Learn more about the ExploitGuard Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/30/2022
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -36,29 +36,8 @@ ms.topic: reference
-
-Specify a common set of Microsoft Defender Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this GP setting configured.
-
-There are some prerequisites before you can enable this setting:
-- Manually configure a device's system and application mitigation settings using the Set-ProcessMitigation PowerShell cmdlet, the ConvertTo-ProcessMitigationPolicy PowerShell cmdlet, or directly in Windows Security.
-- Generate an XML file with the settings from the device by running the Get-ProcessMitigation PowerShell cmdlet or using the Export button at the bottom of the Exploit Protection area in Windows Security.
-- Place the generated XML file in a shared or local path.
-
-Note: Endpoints that have this GP setting set to Enabled must be able to access the XML file, otherwise the settings will not be applied.
-
-Enabled
-Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following:
-- C:\MitigationSettings\Config.XML
-- \\Server\Share\Config.xml
-- https://localhost:8080/Config.xml
-
-The settings in the XML file will be applied to the endpoint.
-
-Disabled
-Common settings will not be applied, and the locally configured settings will be used instead.
-
-Not configured
-Same as Disabled.
+
+Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](/microsoft-365/security/defender-endpoint/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). The system settings require a reboot; the application settings do not require a reboot.
@@ -90,6 +69,30 @@ Same as Disabled.
+**Example**:
+
+```xml
+
+
+
+
+ $CmdId$
+ -
+
+ chr
+ text/plain
+
+
+ ./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings
+
+ ]]>
+
+
+
+
+
+
+```
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index d1e0e7494f..24fdb6341a 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -42,6 +42,9 @@ The handwriting panel has 2 modes - floats near the text box, or, attached to th
+In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel, to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and doesn't require any user interaction.
+
+The docked mode is especially useful in Kiosk mode, where you don't expect the end-user to drag the flying-in panel out of the way.
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 14ee641a09..4c142d85e4 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -4,7 +4,7 @@ description: Learn more about the InternetExplorer Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 01/02/2023
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - InternetExplorer
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -72,7 +70,7 @@ If you disable or do not configure this policy setting, the user can configure t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -136,7 +134,7 @@ If you disable or do not configure this policy setting, ActiveX Filtering is not
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -206,7 +204,7 @@ If you disable this policy setting, the list is deleted. The 'Deny all add-ons u
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -227,6 +225,68 @@ If you disable this policy setting, the list is deleted. The 'Deny all add-ons u
+
+## AllowAutoComplete
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowAutoComplete
+```
+
+
+
+
+This AutoComplete feature can remember and suggest User names and passwords on Forms.
+
+If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords".
+
+If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords.
+
+If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RestrictFormSuggestPW |
+| Friendly Name | Turn on the auto-complete feature for user names and passwords on forms |
+| Location | User Configuration |
+| Path | Windows Components > Internet Explorer |
+| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main |
+| Registry Value Name | FormSuggest Passwords |
+| ADMX File Name | inetres.admx |
+
+
+
+
+
+
+
+
## AllowCertificateAddressMismatchWarning
@@ -270,7 +330,7 @@ If you disable or do not configure this policy setting, the user can choose whet
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -338,7 +398,7 @@ If the "Prevent access to Delete Browsing History" policy setting is enabled, th
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -404,7 +464,7 @@ If you do not configure this policy, users will be able to turn on or turn off E
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -470,7 +530,7 @@ If you don't configure this policy setting, users can change the Suggestions set
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -534,7 +594,7 @@ If you disable or don't configure this policy setting, the menu option won't app
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -597,7 +657,7 @@ If you disable or don't configure this policy setting, Internet Explorer opens a
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -658,7 +718,7 @@ If you disable this policy, system defaults will be used.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -721,7 +781,7 @@ If you disable or do not configure this policy setting, the user can add and rem
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -786,7 +846,7 @@ If you do not configure this policy setting, Internet Explorer uses an Internet
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -856,7 +916,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -926,7 +986,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -996,7 +1056,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1066,7 +1126,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1136,7 +1196,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1206,7 +1266,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1276,7 +1336,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1340,7 +1400,7 @@ If you disable or do not configure this policy setting, Internet Explorer does n
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1406,7 +1466,7 @@ For more information, see
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1492,7 +1552,7 @@ If you disable or do not configure this policy, users may choose their own site-
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1588,7 +1648,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1654,7 +1714,7 @@ If you do not configure this policy, users can choose to run or install files wi
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1724,7 +1784,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1790,7 +1850,7 @@ If you do not configure this policy setting, the user can turn on and turn off t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1860,7 +1920,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1926,7 +1986,7 @@ If you do not configure this policy setting, Internet Explorer will not check se
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1992,7 +2052,7 @@ If you do not configure this policy, Internet Explorer will not check the digita
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2071,7 +2131,7 @@ If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2345,13 +2405,13 @@ If you do not configure this policy setting, Internet Explorer requires consiste
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IESF_PolicyExplorerProcesses |
+| Name | IESF_PolicyExplorerProcesses_5 |
| Friendly Name | Internet Explorer Processes |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Security Features > Consistent Mime Handling |
@@ -2365,6 +2425,68 @@ If you do not configure this policy setting, Internet Explorer requires consiste
+
+## DisableActiveXVersionListAutoDownload
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableActiveXVersionListAutoDownload
+```
+
+
+
+
+This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
+
+If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
+
+If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML.
+
+For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | VersionListAutomaticDownloadDisable |
+| Friendly Name | Turn off automatic download of the ActiveX VersionList |
+| Location | User Configuration |
+| Path | Windows Components > Internet Explorer > Security Features > Add-on Management |
+| Registry Key Name | Software\Microsoft\Internet Explorer\VersionManager |
+| Registry Value Name | DownloadVersionList |
+| ADMX File Name | inetres.admx |
+
+
+
+
+
+
+
+
## DisableBypassOfSmartScreenWarnings
@@ -2408,7 +2530,7 @@ If you disable or do not configure this policy setting, the user can bypass Smar
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2472,7 +2594,7 @@ If you disable or do not configure this policy setting, the user can bypass Smar
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2536,7 +2658,7 @@ If you disable or do not configure this policy setting, the user can use the Com
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2600,7 +2722,7 @@ If you disable or do not configure this policy setting, a user can set the numbe
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2664,7 +2786,7 @@ If you disable or do not configure this policy setting, the crash detection feat
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2730,7 +2852,7 @@ If you do not configure this policy setting, the user can choose to participate
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2798,7 +2920,7 @@ If the "Prevent access to Delete Browsing History" policy setting is enabled, th
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2862,7 +2984,7 @@ If you disable or do not configure this policy setting, the user can set the Fee
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2910,7 +3032,7 @@ If you enable this policy setting, the browser negotiates or does not negotiate
If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.
-Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
+**Note**: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
@@ -2928,7 +3050,7 @@ Note: SSL 2.0 is off by default and is no longer supported starting with Windows
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2991,7 +3113,7 @@ If you disable or do not configure this policy setting, the user can synchronize
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3059,7 +3181,7 @@ If you disable or do not configure this policy setting, Internet Explorer may ru
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3126,7 +3248,7 @@ If you don't configure this setting, users can turn this behavior on or off, usi
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3192,7 +3314,7 @@ If you do not configure this policy setting, browser geolocation support can be
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3213,6 +3335,66 @@ If you do not configure this policy setting, browser geolocation support can be
+
+## DisableHomePageChange
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHomePageChange
+```
+
+
+
+
+The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.
+
+If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.
+
+If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RestrictHomePage |
+| Friendly Name | Disable changing home page settings |
+| Location | User Configuration |
+| Path | Windows Components > Internet Explorer |
+| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Control Panel |
+| Registry Value Name | HomePage |
+| ADMX File Name | inetres.admx |
+
+
+
+
+
+
+
+
## DisableHTMLApplication
@@ -3256,7 +3438,7 @@ If you disable or do not configure this policy setting, running the HTML Applica
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3320,7 +3502,7 @@ If you disable or do not configure this policy setting, the user can choose to i
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3388,7 +3570,7 @@ If you do not configure this policy setting, InPrivate Browsing can be turned on
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3458,7 +3640,7 @@ If you disable, or don’t configure this policy, all sites are opened using the
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3524,7 +3706,7 @@ If you disable, or don’t configure this policy, all sites are opened using the
This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
-Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used.
+**Important**: Some ActiveX controls and toolbars may not be available when 64-bit processes are used.
If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
@@ -3548,7 +3730,7 @@ If you don't configure this policy setting, users can turn this feature on or of
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3612,7 +3794,7 @@ If you disable or do not configure this policy setting, the user can configure p
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3656,7 +3838,7 @@ If you disable or do not configure this policy setting, the user can configure p
This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.
-If you enable this policy setting, disableprocessesthe user cannot change the default search provider.
+If you enable this policy setting, the user cannot change the default search provider.
If you disable or do not configure this policy setting, the user can change the default search provider.
@@ -3676,7 +3858,7 @@ If you disable or do not configure this policy setting, the user can change the
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3724,7 +3906,7 @@ If you enable this policy setting, you can specify which default home pages shou
If you disable or do not configure this policy setting, the user can add secondary home pages.
-Note: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages.
+**Note**: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages.
@@ -3742,7 +3924,7 @@ Note: If the “Disable Changing Home Page Settings” policy is enabled, the us
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3805,7 +3987,7 @@ If you disable or do not configure this policy setting, the feature is turned on
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3867,7 +4049,7 @@ This policy is intended to help the administrator maintain version control for I
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3933,7 +4115,7 @@ If you do not configure this policy setting, a user will have the freedom to cho
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4001,7 +4183,7 @@ If you disable or do not configure this policy setting, Internet Explorer notifi
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4047,7 +4229,7 @@ If you disable this policy or do not configure it, users can add Web sites to or
This policy prevents users from changing site management settings for security zones established by the administrator.
-Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored.
+**Note**: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored.
Also, see the "Security zones: Use only machine settings" policy.
@@ -4067,7 +4249,7 @@ Also, see the "Security zones: Use only machine settings" policy.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4113,7 +4295,7 @@ If you disable this policy or do not configure it, users can change the settings
This policy prevents users from changing security zone settings established by the administrator.
-Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
+**Note**: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
Also, see the "Security zones: Use only machine settings" policy.
@@ -4133,7 +4315,7 @@ Also, see the "Security zones: Use only machine settings" policy.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4199,7 +4381,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4245,8 +4427,9 @@ This policy setting allows you to manage a list of domains on which Internet Exp
If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
-1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
+1. "domain.name. TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
2. "hostname". For example, if you want to include https://example, use "example"
+
3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"
If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.
@@ -4269,7 +4452,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4335,7 +4518,7 @@ For more information, see
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4403,7 +4586,7 @@ To learn more about disabling Internet Explorer 11 as a standalone browser, see
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4469,7 +4652,7 @@ If you do not configure this policy setting, users choose whether to force local
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4535,7 +4718,7 @@ If you do not configure this policy setting, users choose whether network paths
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4601,13 +4784,13 @@ If you do not configure this policy setting, users cannot load a page in the zon
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAccessDataSourcesAcrossDomains |
+| Name | IZ_PolicyAccessDataSourcesAcrossDomains_1 |
| Friendly Name | Access data sources across domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -4666,13 +4849,13 @@ If you do not configure this policy setting, ActiveX control installations will
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarActiveXURLaction |
+| Name | IZ_PolicyNotificationBarActiveXURLaction_1 |
| Friendly Name | Automatic prompting for ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -4729,13 +4912,13 @@ If you disable or do not configure this setting, file downloads that are not use
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarDownloadURLaction |
+| Name | IZ_PolicyNotificationBarDownloadURLaction_1 |
| Friendly Name | Automatic prompting for file downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -4796,13 +4979,13 @@ If you do not configure this policy setting, a script can perform a clipboard op
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAllowPasteViaScript |
+| Name | IZ_PolicyAllowPasteViaScript_1 |
| Friendly Name | Allow cut, copy or paste operations from the clipboard via script |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -4861,13 +5044,13 @@ If you do not configure this policy setting, users can drag files or copy and pa
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyDropOrPasteFiles |
+| Name | IZ_PolicyDropOrPasteFiles_1 |
| Friendly Name | Allow drag and drop or copy and paste files |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -4926,13 +5109,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyFontDownload |
+| Name | IZ_PolicyFontDownload_1 |
| Friendly Name | Allow font downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -4991,13 +5174,13 @@ If you do not configure this policy setting, Web sites from less privileged zone
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyZoneElevationURLaction |
+| Name | IZ_PolicyZoneElevationURLaction_1 |
| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5056,13 +5239,13 @@ If you do not configure this policy setting, the user can decide whether to load
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_XAML |
+| Name | IZ_Policy_XAML_1 |
| Friendly Name | Allow loading of XAML files |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5097,7 +5280,7 @@ If you do not configure this policy setting, the user can decide whether to load
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -5121,13 +5304,13 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction |
+| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_1 |
| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5184,13 +5367,13 @@ If you disable this policy setting, the user does not see the per-site ActiveX p
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt |
+| Name | IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet |
| Friendly Name | Allow only approved domains to use ActiveX controls without prompt |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5247,13 +5430,13 @@ If you disable this policy setting, the TDC Active X control will run from all s
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAllowTDCControl |
+| Name | IZ_PolicyAllowTDCControl_Both_Internet |
| Friendly Name | Allow only approved domains to use the TDC ActiveX control |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5312,13 +5495,13 @@ If you do not configure this policy setting, the user can enable or disable scri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_WebBrowserControl |
+| Name | IZ_Policy_WebBrowserControl_1 |
| Friendly Name | Allow scripting of Internet Explorer WebBrowser controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5377,13 +5560,13 @@ If you do not configure this policy setting, the possible harmful actions contai
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyWindowsRestrictionsURLaction |
+| Name | IZ_PolicyWindowsRestrictionsURLaction_1 |
| Friendly Name | Allow script-initiated windows without size or position constraints |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5442,13 +5625,13 @@ If you do not configure this policy setting, the user can enable or disable scri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_AllowScriptlets |
+| Name | IZ_Policy_AllowScriptlets_1 |
| Friendly Name | Allow scriptlets |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5491,7 +5674,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
@@ -5509,13 +5692,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_Phishing |
+| Name | IZ_Policy_Phishing_1 |
| Friendly Name | Turn on SmartScreen Filter scan |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5572,13 +5755,13 @@ If you disable or do not configure this policy setting, script is not allowed to
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_ScriptStatusBar |
+| Name | IZ_Policy_ScriptStatusBar_1 |
| Friendly Name | Allow updates to status bar via script |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5637,13 +5820,13 @@ If you do not configure this policy setting, users can preserve information in t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUserdataPersistence |
+| Name | IZ_PolicyUserdataPersistence_1 |
| Friendly Name | Userdata persistence |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5704,13 +5887,13 @@ If you do not configure or disable this policy setting, VBScript is prevented fr
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAllowVBScript |
+| Name | IZ_PolicyAllowVBScript_1 |
| Friendly Name | Allow VBScript to run in Internet Explorer |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5769,13 +5952,13 @@ If you don't configure this policy setting, Internet Explorer always checks with
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls |
+| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 |
| Friendly Name | Don't run antimalware programs against ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5834,13 +6017,13 @@ If you do not configure this policy setting, users are queried whether to downlo
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyDownloadSignedActiveX |
+| Name | IZ_PolicyDownloadSignedActiveX_1 |
| Friendly Name | Download signed ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5899,13 +6082,13 @@ If you do not configure this policy setting, users cannot run unsigned controls.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyDownloadUnsignedActiveX |
+| Name | IZ_PolicyDownloadUnsignedActiveX_1 |
| Friendly Name | Download unsigned ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -5962,13 +6145,13 @@ If you disable this policy setting, the XSS Filter is turned off for sites in th
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyTurnOnXSSFilter |
+| Name | IZ_PolicyTurnOnXSSFilter_Both_Internet |
| Friendly Name | Turn on Cross-Site Scripting Filter |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6029,13 +6212,13 @@ In Internet Explorer 9 and earlier versions, if you disable this policy or do no
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyDragDropAcrossDomainsAcrossWindows |
+| Name | IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet |
| Friendly Name | Enable dragging of content from different domains across windows |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6096,13 +6279,13 @@ In Internet Explorer 9 and earlier versions, if you disable this policy setting
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyDragDropAcrossDomainsWithinWindow |
+| Name | IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet |
| Friendly Name | Enable dragging of content from different domains within a window |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6161,13 +6344,13 @@ If you do not configure this policy setting, the MIME Sniffing Safety Feature wi
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyMimeSniffingURLaction |
+| Name | IZ_PolicyMimeSniffingURLaction_1 |
| Friendly Name | Enable MIME Sniffing |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6226,13 +6409,13 @@ If you do not configure this policy setting, the user can turn on or turn off Pr
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_TurnOnProtectedMode |
+| Name | IZ_Policy_TurnOnProtectedMode_1 |
| Friendly Name | Turn on Protected Mode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6291,13 +6474,13 @@ If you do not configure this policy setting, the user can choose whether path in
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_LocalPathForUpload |
+| Name | IZ_Policy_LocalPathForUpload_1 |
| Friendly Name | Include local path when user is uploading files to a server |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6358,13 +6541,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyScriptActiveXNotMarkedSafe |
+| Name | IZ_PolicyScriptActiveXNotMarkedSafe_1 |
| Friendly Name | Initialize and script ActiveX controls not marked as safe |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6429,13 +6612,13 @@ If you do not configure this policy setting, the permission is set to High Safet
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyJavaPermissions |
+| Name | IZ_PolicyJavaPermissions_1 |
| Friendly Name | Java permissions |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6494,13 +6677,13 @@ If you do not configure this policy setting, users are queried to choose whether
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyLaunchAppsAndFilesInIFRAME |
+| Name | IZ_PolicyLaunchAppsAndFilesInIFRAME_1 |
| Friendly Name | Launching applications and files in an IFRAME |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6567,13 +6750,13 @@ If you do not configure this policy setting, logon is set to Automatic logon onl
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyLogon |
+| Name | IZ_PolicyLogon_1 |
| Friendly Name | Logon options |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6632,13 +6815,13 @@ If you do not configure this policy setting, users can open windows and frames f
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNavigateSubframesAcrossDomains |
+| Name | IZ_PolicyNavigateSubframesAcrossDomains_1 |
| Friendly Name | Navigate windows and frames across different domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6673,7 +6856,7 @@ If you do not configure this policy setting, users can open windows and frames f
-This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
@@ -6697,13 +6880,13 @@ If you do not configure this policy setting, Internet Explorer will execute sign
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicySignedFrameworkComponentsURLaction |
+| Name | IZ_PolicySignedFrameworkComponentsURLaction_1 |
| Friendly Name | Run .NET Framework-reliant components signed with Authenticode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6762,13 +6945,13 @@ If you do not configure this policy setting, the user can configure how the comp
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_UnsafeFiles |
+| Name | IZ_Policy_UnsafeFiles_1 |
| Friendly Name | Show security warning for potentially unsafe files |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6827,13 +7010,13 @@ If you do not configure this policy setting, most unwanted pop-up windows are pr
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyBlockPopupWindows |
+| Name | IZ_PolicyBlockPopupWindows_1 |
| Friendly Name | Use Pop-up Blocker |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone |
@@ -6892,13 +7075,13 @@ If you do not configure this policy setting, users are queried to choose whether
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAccessDataSourcesAcrossDomains |
+| Name | IZ_PolicyAccessDataSourcesAcrossDomains_3 |
| Friendly Name | Access data sources across domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
@@ -6957,13 +7140,13 @@ If you do not configure this policy setting, users will receive a prompt when a
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarActiveXURLaction |
+| Name | IZ_PolicyNotificationBarActiveXURLaction_3 |
| Friendly Name | Automatic prompting for ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
@@ -7020,13 +7203,13 @@ If you disable or do not configure this setting, users will receive a file downl
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarDownloadURLaction |
+| Name | IZ_PolicyNotificationBarDownloadURLaction_3 |
| Friendly Name | Automatic prompting for file downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
@@ -7085,13 +7268,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyFontDownload |
+| Name | IZ_PolicyFontDownload_3 |
| Friendly Name | Allow font downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
@@ -7150,13 +7333,13 @@ If you do not configure this policy setting, Web sites from less privileged zone
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyZoneElevationURLaction |
+| Name | IZ_PolicyZoneElevationURLaction_3 |
| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
@@ -7191,7 +7374,7 @@ If you do not configure this policy setting, Web sites from less privileged zone
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -7215,13 +7398,13 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction |
+| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_3 |
| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
@@ -7280,13 +7463,13 @@ If you do not configure this policy setting, the user can enable or disable scri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_AllowScriptlets |
+| Name | IZ_Policy_AllowScriptlets_3 |
| Friendly Name | Allow scriptlets |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
@@ -7329,7 +7512,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
@@ -7347,13 +7530,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_Phishing |
+| Name | IZ_Policy_Phishing_3 |
| Friendly Name | Turn on SmartScreen Filter scan |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
@@ -7412,13 +7595,13 @@ If you do not configure this policy setting, users can preserve information in t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUserdataPersistence |
+| Name | IZ_PolicyUserdataPersistence_3 |
| Friendly Name | Userdata persistence |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
@@ -7477,13 +7660,13 @@ If you don't configure this policy setting, Internet Explorer won't check with y
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls |
+| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 |
| Friendly Name | Don't run antimalware programs against ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
@@ -7544,13 +7727,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyScriptActiveXNotMarkedSafe |
+| Name | IZ_PolicyScriptActiveXNotMarkedSafe_3 |
| Friendly Name | Initialize and script ActiveX controls not marked as safe |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
@@ -7615,13 +7798,13 @@ If you do not configure this policy setting, the permission is set to Medium Saf
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyJavaPermissions |
+| Name | IZ_PolicyJavaPermissions_3 |
| Friendly Name | Java permissions |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
@@ -7680,13 +7863,13 @@ If you do not configure this policy setting, users can open windows and frames f
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNavigateSubframesAcrossDomains |
+| Name | IZ_PolicyNavigateSubframesAcrossDomains_3 |
| Friendly Name | Navigate windows and frames across different domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
@@ -7745,7 +7928,7 @@ If this policy is left unconfigured, then MSHTML will use JScript9Legacy and MSX
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -7817,7 +8000,7 @@ For more info about how to use this policy together with other related policies
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -7906,13 +8089,13 @@ If you do not configure this policy setting, users can load a page in the zone t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAccessDataSourcesAcrossDomains |
+| Name | IZ_PolicyAccessDataSourcesAcrossDomains_9 |
| Friendly Name | Access data sources across domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
@@ -7971,13 +8154,13 @@ If you do not configure this policy setting, users will receive a prompt when a
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarActiveXURLaction |
+| Name | IZ_PolicyNotificationBarActiveXURLaction_9 |
| Friendly Name | Automatic prompting for ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
@@ -8034,13 +8217,13 @@ If you disable or do not configure this setting, users will receive a file downl
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarDownloadURLaction |
+| Name | IZ_PolicyNotificationBarDownloadURLaction_9 |
| Friendly Name | Automatic prompting for file downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
@@ -8099,13 +8282,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyFontDownload |
+| Name | IZ_PolicyFontDownload_9 |
| Friendly Name | Allow font downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
@@ -8164,13 +8347,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyZoneElevationURLaction |
+| Name | IZ_PolicyZoneElevationURLaction_9 |
| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
@@ -8205,7 +8388,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -8229,13 +8412,13 @@ If you do not configure this policy setting, Internet Explorer will not execute
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction |
+| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_9 |
| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
@@ -8294,13 +8477,13 @@ If you do not configure this policy setting, the user can enable or disable scri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_AllowScriptlets |
+| Name | IZ_Policy_AllowScriptlets_9 |
| Friendly Name | Allow scriptlets |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
@@ -8343,7 +8526,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
@@ -8361,13 +8544,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_Phishing |
+| Name | IZ_Policy_Phishing_9 |
| Friendly Name | Turn on SmartScreen Filter scan |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
@@ -8426,13 +8609,13 @@ If you do not configure this policy setting, users can preserve information in t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUserdataPersistence |
+| Name | IZ_PolicyUserdataPersistence_9 |
| Friendly Name | Userdata persistence |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
@@ -8491,13 +8674,13 @@ If you don't configure this policy setting, Internet Explorer won't check with y
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls |
+| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 |
| Friendly Name | Don't run antimalware programs against ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
@@ -8558,13 +8741,13 @@ If you do not configure this policy setting, users are queried whether to allow
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyScriptActiveXNotMarkedSafe |
+| Name | IZ_PolicyScriptActiveXNotMarkedSafe_9 |
| Friendly Name | Initialize and script ActiveX controls not marked as safe |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
@@ -8629,13 +8812,13 @@ If you do not configure this policy setting, the permission is set to Medium Saf
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyJavaPermissions |
+| Name | IZ_PolicyJavaPermissions_9 |
| Friendly Name | Java permissions |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
@@ -8694,13 +8877,13 @@ If you do not configure this policy setting, users can open windows and frames f
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNavigateSubframesAcrossDomains |
+| Name | IZ_PolicyNavigateSubframesAcrossDomains_9 |
| Friendly Name | Navigate windows and frames across different domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
@@ -8759,13 +8942,13 @@ If you do not configure this policy setting, users cannot load a page in the zon
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAccessDataSourcesAcrossDomains |
+| Name | IZ_PolicyAccessDataSourcesAcrossDomains_2 |
| Friendly Name | Access data sources across domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone |
@@ -8824,13 +9007,13 @@ If you do not configure this policy setting, ActiveX control installations will
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarActiveXURLaction |
+| Name | IZ_PolicyNotificationBarActiveXURLaction_2 |
| Friendly Name | Automatic prompting for ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone |
@@ -8887,13 +9070,13 @@ If you disable or do not configure this setting, file downloads that are not use
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarDownloadURLaction |
+| Name | IZ_PolicyNotificationBarDownloadURLaction_2 |
| Friendly Name | Automatic prompting for file downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone |
@@ -8952,13 +9135,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyFontDownload |
+| Name | IZ_PolicyFontDownload_2 |
| Friendly Name | Allow font downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone |
@@ -9017,13 +9200,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyZoneElevationURLaction |
+| Name | IZ_PolicyZoneElevationURLaction_2 |
| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone |
@@ -9058,7 +9241,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -9082,13 +9265,13 @@ If you do not configure this policy setting, Internet Explorer will not execute
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction |
+| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_2 |
| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone |
@@ -9147,13 +9330,13 @@ If you do not configure this policy setting, the user can enable or disable scri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_AllowScriptlets |
+| Name | IZ_Policy_AllowScriptlets_2 |
| Friendly Name | Allow scriptlets |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone |
@@ -9196,7 +9379,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
@@ -9214,13 +9397,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_Phishing |
+| Name | IZ_Policy_Phishing_2 |
| Friendly Name | Turn on SmartScreen Filter scan |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone |
@@ -9279,13 +9462,13 @@ If you do not configure this policy setting, users can preserve information in t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUserdataPersistence |
+| Name | IZ_PolicyUserdataPersistence_2 |
| Friendly Name | Userdata persistence |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone |
@@ -9346,13 +9529,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyScriptActiveXNotMarkedSafe |
+| Name | IZ_PolicyScriptActiveXNotMarkedSafe_2 |
| Friendly Name | Initialize and script ActiveX controls not marked as safe |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone |
@@ -9417,13 +9600,13 @@ If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyJavaPermissions |
+| Name | IZ_PolicyJavaPermissions_2 |
| Friendly Name | Java permissions |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone |
@@ -9482,13 +9665,13 @@ If you do not configure this policy setting, users can open windows and frames f
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNavigateSubframesAcrossDomains |
+| Name | IZ_PolicyNavigateSubframesAcrossDomains_2 |
| Friendly Name | Navigate windows and frames across different domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone |
@@ -9553,13 +9736,13 @@ If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyJavaPermissions |
+| Name | IZ_PolicyJavaPermissions_4 |
| Friendly Name | Java permissions |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone |
@@ -9618,13 +9801,13 @@ If you do not configure this policy setting, users are queried to choose whether
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAccessDataSourcesAcrossDomains |
+| Name | IZ_PolicyAccessDataSourcesAcrossDomains_4 |
| Friendly Name | Access data sources across domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone |
@@ -9683,13 +9866,13 @@ If you do not configure this policy setting, ActiveX control installations will
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarActiveXURLaction |
+| Name | IZ_PolicyNotificationBarActiveXURLaction_4 |
| Friendly Name | Automatic prompting for ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone |
@@ -9746,13 +9929,13 @@ If you disable or do not configure this setting, file downloads that are not use
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarDownloadURLaction |
+| Name | IZ_PolicyNotificationBarDownloadURLaction_4 |
| Friendly Name | Automatic prompting for file downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone |
@@ -9811,13 +9994,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyFontDownload |
+| Name | IZ_PolicyFontDownload_4 |
| Friendly Name | Allow font downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone |
@@ -9876,13 +10059,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyZoneElevationURLaction |
+| Name | IZ_PolicyZoneElevationURLaction_4 |
| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone |
@@ -9917,7 +10100,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -9941,13 +10124,13 @@ If you do not configure this policy setting, Internet Explorer will not execute
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction |
+| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_4 |
| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone |
@@ -10006,13 +10189,13 @@ If you do not configure this policy setting, the user can enable or disable scri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_AllowScriptlets |
+| Name | IZ_Policy_AllowScriptlets_4 |
| Friendly Name | Allow scriptlets |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone |
@@ -10055,7 +10238,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
@@ -10073,13 +10256,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_Phishing |
+| Name | IZ_Policy_Phishing_4 |
| Friendly Name | Turn on SmartScreen Filter scan |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone |
@@ -10138,13 +10321,13 @@ If you do not configure this policy setting, users can preserve information in t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUserdataPersistence |
+| Name | IZ_PolicyUserdataPersistence_4 |
| Friendly Name | Userdata persistence |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone |
@@ -10205,13 +10388,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyScriptActiveXNotMarkedSafe |
+| Name | IZ_PolicyScriptActiveXNotMarkedSafe_4 |
| Friendly Name | Initialize and script ActiveX controls not marked as safe |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone |
@@ -10270,13 +10453,13 @@ If you do not configure this policy setting, users can open windows and frames f
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNavigateSubframesAcrossDomains |
+| Name | IZ_PolicyNavigateSubframesAcrossDomains_4 |
| Friendly Name | Navigate windows and frames across different domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone |
@@ -10335,13 +10518,13 @@ If you do not configure this policy setting, users can load a page in the zone t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAccessDataSourcesAcrossDomains |
+| Name | IZ_PolicyAccessDataSourcesAcrossDomains_10 |
| Friendly Name | Access data sources across domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone |
@@ -10400,13 +10583,13 @@ If you do not configure this policy setting, ActiveX control installations will
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarActiveXURLaction |
+| Name | IZ_PolicyNotificationBarActiveXURLaction_10 |
| Friendly Name | Automatic prompting for ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone |
@@ -10463,13 +10646,13 @@ If you disable or do not configure this setting, file downloads that are not use
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarDownloadURLaction |
+| Name | IZ_PolicyNotificationBarDownloadURLaction_10 |
| Friendly Name | Automatic prompting for file downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone |
@@ -10528,13 +10711,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyFontDownload |
+| Name | IZ_PolicyFontDownload_10 |
| Friendly Name | Allow font downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone |
@@ -10593,13 +10776,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyZoneElevationURLaction |
+| Name | IZ_PolicyZoneElevationURLaction_10 |
| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone |
@@ -10634,7 +10817,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -10658,13 +10841,13 @@ If you do not configure this policy setting, Internet Explorer will not execute
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction |
+| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_10 |
| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone |
@@ -10723,13 +10906,13 @@ If you do not configure this policy setting, the user can enable or disable scri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_AllowScriptlets |
+| Name | IZ_Policy_AllowScriptlets_10 |
| Friendly Name | Allow scriptlets |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone |
@@ -10772,7 +10955,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
@@ -10790,13 +10973,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_Phishing |
+| Name | IZ_Policy_Phishing_10 |
| Friendly Name | Turn on SmartScreen Filter scan |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone |
@@ -10855,13 +11038,13 @@ If you do not configure this policy setting, users can preserve information in t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUserdataPersistence |
+| Name | IZ_PolicyUserdataPersistence_10 |
| Friendly Name | Userdata persistence |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone |
@@ -10922,13 +11105,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyScriptActiveXNotMarkedSafe |
+| Name | IZ_PolicyScriptActiveXNotMarkedSafe_10 |
| Friendly Name | Initialize and script ActiveX controls not marked as safe |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone |
@@ -10993,13 +11176,13 @@ If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyJavaPermissions |
+| Name | IZ_PolicyJavaPermissions_10 |
| Friendly Name | Java permissions |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone |
@@ -11058,13 +11241,13 @@ If you do not configure this policy setting, users can open windows and frames f
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNavigateSubframesAcrossDomains |
+| Name | IZ_PolicyNavigateSubframesAcrossDomains_10 |
| Friendly Name | Navigate windows and frames across different domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone |
@@ -11123,13 +11306,13 @@ If you do not configure this policy setting, users cannot load a page in the zon
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAccessDataSourcesAcrossDomains |
+| Name | IZ_PolicyAccessDataSourcesAcrossDomains_8 |
| Friendly Name | Access data sources across domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone |
@@ -11188,13 +11371,13 @@ If you do not configure this policy setting, ActiveX control installations will
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarActiveXURLaction |
+| Name | IZ_PolicyNotificationBarActiveXURLaction_8 |
| Friendly Name | Automatic prompting for ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone |
@@ -11251,13 +11434,13 @@ If you disable or do not configure this setting, file downloads that are not use
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarDownloadURLaction |
+| Name | IZ_PolicyNotificationBarDownloadURLaction_8 |
| Friendly Name | Automatic prompting for file downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone |
@@ -11316,13 +11499,13 @@ If you do not configure this policy setting, users are queried whether to allow
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyFontDownload |
+| Name | IZ_PolicyFontDownload_8 |
| Friendly Name | Allow font downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone |
@@ -11381,13 +11564,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyZoneElevationURLaction |
+| Name | IZ_PolicyZoneElevationURLaction_8 |
| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone |
@@ -11422,7 +11605,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -11446,13 +11629,13 @@ If you do not configure this policy setting, Internet Explorer will not execute
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction |
+| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_8 |
| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone |
@@ -11511,13 +11694,13 @@ If you do not configure this policy setting, the user can enable or disable scri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_AllowScriptlets |
+| Name | IZ_Policy_AllowScriptlets_8 |
| Friendly Name | Allow scriptlets |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone |
@@ -11560,7 +11743,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
@@ -11578,13 +11761,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_Phishing |
+| Name | IZ_Policy_Phishing_8 |
| Friendly Name | Turn on SmartScreen Filter scan |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone |
@@ -11643,13 +11826,13 @@ If you do not configure this policy setting, users cannot preserve information i
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUserdataPersistence |
+| Name | IZ_PolicyUserdataPersistence_8 |
| Friendly Name | Userdata persistence |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone |
@@ -11710,13 +11893,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyScriptActiveXNotMarkedSafe |
+| Name | IZ_PolicyScriptActiveXNotMarkedSafe_8 |
| Friendly Name | Initialize and script ActiveX controls not marked as safe |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone |
@@ -11781,13 +11964,13 @@ If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyJavaPermissions |
+| Name | IZ_PolicyJavaPermissions_8 |
| Friendly Name | Java permissions |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone |
@@ -11846,13 +12029,13 @@ If you do not configure this policy setting, users cannot open other windows and
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNavigateSubframesAcrossDomains |
+| Name | IZ_PolicyNavigateSubframesAcrossDomains_8 |
| Friendly Name | Navigate windows and frames across different domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone |
@@ -11911,13 +12094,13 @@ If you do not configure this policy setting, users can load a page in the zone t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAccessDataSourcesAcrossDomains |
+| Name | IZ_PolicyAccessDataSourcesAcrossDomains_6 |
| Friendly Name | Access data sources across domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone |
@@ -11976,13 +12159,13 @@ If you do not configure this policy setting, ActiveX control installations will
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarActiveXURLaction |
+| Name | IZ_PolicyNotificationBarActiveXURLaction_6 |
| Friendly Name | Automatic prompting for ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone |
@@ -12039,13 +12222,13 @@ If you disable or do not configure this setting, file downloads that are not use
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarDownloadURLaction |
+| Name | IZ_PolicyNotificationBarDownloadURLaction_6 |
| Friendly Name | Automatic prompting for file downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone |
@@ -12104,13 +12287,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyFontDownload |
+| Name | IZ_PolicyFontDownload_6 |
| Friendly Name | Allow font downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone |
@@ -12169,13 +12352,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyZoneElevationURLaction |
+| Name | IZ_PolicyZoneElevationURLaction_6 |
| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone |
@@ -12210,7 +12393,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -12234,13 +12417,13 @@ If you do not configure this policy setting, Internet Explorer will not execute
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction |
+| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_6 |
| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone |
@@ -12299,13 +12482,13 @@ If you do not configure this policy setting, the user can enable or disable scri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_AllowScriptlets |
+| Name | IZ_Policy_AllowScriptlets_6 |
| Friendly Name | Allow scriptlets |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone |
@@ -12348,7 +12531,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
@@ -12366,13 +12549,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_Phishing |
+| Name | IZ_Policy_Phishing_6 |
| Friendly Name | Turn on SmartScreen Filter scan |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone |
@@ -12431,13 +12614,13 @@ If you do not configure this policy setting, users can preserve information in t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUserdataPersistence |
+| Name | IZ_PolicyUserdataPersistence_6 |
| Friendly Name | Userdata persistence |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone |
@@ -12498,13 +12681,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyScriptActiveXNotMarkedSafe |
+| Name | IZ_PolicyScriptActiveXNotMarkedSafe_6 |
| Friendly Name | Initialize and script ActiveX controls not marked as safe |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone |
@@ -12569,13 +12752,13 @@ If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyJavaPermissions |
+| Name | IZ_PolicyJavaPermissions_6 |
| Friendly Name | Java permissions |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone |
@@ -12634,13 +12817,13 @@ If you do not configure this policy setting, users can open windows and frames f
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNavigateSubframesAcrossDomains |
+| Name | IZ_PolicyNavigateSubframesAcrossDomains_6 |
| Friendly Name | Navigate windows and frames across different domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone |
@@ -12699,13 +12882,13 @@ If you do not configure this policy setting, MIME sniffing will never promote a
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IESF_PolicyExplorerProcesses |
+| Name | IESF_PolicyExplorerProcesses_6 |
| Friendly Name | Internet Explorer Processes |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature |
@@ -12764,13 +12947,13 @@ If you do not configure this policy setting, the MK Protocol is prevented for Fi
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IESF_PolicyExplorerProcesses |
+| Name | IESF_PolicyExplorerProcesses_3 |
| Friendly Name | Internet Explorer Processes |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction |
@@ -12827,7 +13010,7 @@ If you disable or do not configure this policy setting, the user can select his
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -12892,13 +13075,13 @@ If you do not configure this policy setting, the Notification bar will be displa
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IESF_PolicyExplorerProcesses |
+| Name | IESF_PolicyExplorerProcesses_10 |
| Friendly Name | Internet Explorer Processes |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Security Features > Notification bar |
@@ -12955,7 +13138,7 @@ If you disable or do not configure this policy setting, the user is prompted to
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -13018,7 +13201,7 @@ If you disable or do not configure this policy setting, ActiveX controls can be
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -13084,13 +13267,13 @@ If you do not configure this policy setting, any zone can be protected from zone
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IESF_PolicyExplorerProcesses |
+| Name | IESF_PolicyExplorerProcesses_9 |
| Friendly Name | Internet Explorer Processes |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation |
@@ -13149,7 +13332,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -13215,7 +13398,7 @@ For more information, see
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -13281,13 +13464,13 @@ If you do not configure this policy setting, the user's preference will be used
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IESF_PolicyExplorerProcesses |
+| Name | IESF_PolicyExplorerProcesses_11 |
| Friendly Name | Internet Explorer Processes |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install |
@@ -13346,13 +13529,13 @@ If you do not configure this policy setting, users cannot load a page in the zon
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAccessDataSourcesAcrossDomains |
+| Name | IZ_PolicyAccessDataSourcesAcrossDomains_7 |
| Friendly Name | Access data sources across domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -13411,13 +13594,13 @@ If you do not configure this policy setting, script code on pages in the zone is
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyActiveScripting |
+| Name | IZ_PolicyActiveScripting_7 |
| Friendly Name | Allow active scripting |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -13476,13 +13659,13 @@ If you do not configure this policy setting, ActiveX control installations will
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarActiveXURLaction |
+| Name | IZ_PolicyNotificationBarActiveXURLaction_7 |
| Friendly Name | Automatic prompting for ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -13539,13 +13722,13 @@ If you disable or do not configure this setting, file downloads that are not use
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarDownloadURLaction |
+| Name | IZ_PolicyNotificationBarDownloadURLaction_7 |
| Friendly Name | Automatic prompting for file downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -13604,13 +13787,13 @@ If you do not configure this policy setting, binary and script behaviors are not
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyBinaryBehaviors |
+| Name | IZ_PolicyBinaryBehaviors_7 |
| Friendly Name | Allow binary and script behaviors |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -13671,13 +13854,13 @@ If you do not configure this policy setting, a script cannot perform a clipboard
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAllowPasteViaScript |
+| Name | IZ_PolicyAllowPasteViaScript_7 |
| Friendly Name | Allow cut, copy or paste operations from the clipboard via script |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -13736,13 +13919,13 @@ If you do not configure this policy setting, users are queried to choose whether
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyDropOrPasteFiles |
+| Name | IZ_PolicyDropOrPasteFiles_7 |
| Friendly Name | Allow drag and drop or copy and paste files |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -13801,13 +13984,13 @@ If you do not configure this policy setting, files are prevented from being down
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyFileDownload |
+| Name | IZ_PolicyFileDownload_7 |
| Friendly Name | Allow file downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -13866,13 +14049,13 @@ If you do not configure this policy setting, users are queried whether to allow
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyFontDownload |
+| Name | IZ_PolicyFontDownload_7 |
| Friendly Name | Allow font downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -13931,13 +14114,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyZoneElevationURLaction |
+| Name | IZ_PolicyZoneElevationURLaction_7 |
| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -13996,13 +14179,13 @@ If you do not configure this policy setting, the user can decide whether to load
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_XAML |
+| Name | IZ_Policy_XAML_7 |
| Friendly Name | Allow loading of XAML files |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14061,13 +14244,13 @@ If you do not configure this policy setting, a user's browser that loads a page
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAllowMETAREFRESH |
+| Name | IZ_PolicyAllowMETAREFRESH_7 |
| Friendly Name | Allow META REFRESH |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14102,7 +14285,7 @@ If you do not configure this policy setting, a user's browser that loads a page
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -14126,13 +14309,13 @@ If you do not configure this policy setting, Internet Explorer will not execute
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction |
+| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_7 |
| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14189,13 +14372,13 @@ If you disable this policy setting, the user does not see the per-site ActiveX p
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt |
+| Name | IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted |
| Friendly Name | Allow only approved domains to use ActiveX controls without prompt |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14252,13 +14435,13 @@ If you disable this policy setting, the TDC Active X control will run from all s
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAllowTDCControl |
+| Name | IZ_PolicyAllowTDCControl_Both_Restricted |
| Friendly Name | Allow only approved domains to use the TDC ActiveX control |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14317,13 +14500,13 @@ If you do not configure this policy setting, the user can enable or disable scri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_WebBrowserControl |
+| Name | IZ_Policy_WebBrowserControl_7 |
| Friendly Name | Allow scripting of Internet Explorer WebBrowser controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14382,13 +14565,13 @@ If you do not configure this policy setting, the possible harmful actions contai
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyWindowsRestrictionsURLaction |
+| Name | IZ_PolicyWindowsRestrictionsURLaction_7 |
| Friendly Name | Allow script-initiated windows without size or position constraints |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14447,13 +14630,13 @@ If you do not configure this policy setting, the user can enable or disable scri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_AllowScriptlets |
+| Name | IZ_Policy_AllowScriptlets_7 |
| Friendly Name | Allow scriptlets |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14496,7 +14679,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
@@ -14514,13 +14697,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_Phishing |
+| Name | IZ_Policy_Phishing_7 |
| Friendly Name | Turn on SmartScreen Filter scan |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14577,13 +14760,13 @@ If you disable or do not configure this policy setting, script is not allowed to
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_ScriptStatusBar |
+| Name | IZ_Policy_ScriptStatusBar_7 |
| Friendly Name | Allow updates to status bar via script |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14642,13 +14825,13 @@ If you do not configure this policy setting, users cannot preserve information i
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUserdataPersistence |
+| Name | IZ_PolicyUserdataPersistence_7 |
| Friendly Name | Userdata persistence |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14709,13 +14892,13 @@ If you do not configure or disable this policy setting, VBScript is prevented fr
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAllowVBScript |
+| Name | IZ_PolicyAllowVBScript_7 |
| Friendly Name | Allow VBScript to run in Internet Explorer |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14774,13 +14957,13 @@ If you don't configure this policy setting, Internet Explorer always checks with
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls |
+| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 |
| Friendly Name | Don't run antimalware programs against ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14839,13 +15022,13 @@ If you do not configure this policy setting, signed controls cannot be downloade
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyDownloadSignedActiveX |
+| Name | IZ_PolicyDownloadSignedActiveX_7 |
| Friendly Name | Download signed ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14904,13 +15087,13 @@ If you do not configure this policy setting, users cannot run unsigned controls.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyDownloadUnsignedActiveX |
+| Name | IZ_PolicyDownloadUnsignedActiveX_7 |
| Friendly Name | Download unsigned ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -14967,13 +15150,13 @@ If you disable this policy setting, the XSS Filter is turned off for sites in th
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyTurnOnXSSFilter |
+| Name | IZ_PolicyTurnOnXSSFilter_Both_Restricted |
| Friendly Name | Turn on Cross-Site Scripting Filter |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15034,13 +15217,13 @@ In Internet Explorer 9 and earlier versions, if you disable this policy or do no
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyDragDropAcrossDomainsAcrossWindows |
+| Name | IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted |
| Friendly Name | Enable dragging of content from different domains across windows |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15101,13 +15284,13 @@ In Internet Explorer 9 and earlier versions, if you disable this policy setting
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyDragDropAcrossDomainsWithinWindow |
+| Name | IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted |
| Friendly Name | Enable dragging of content from different domains within a window |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15166,13 +15349,13 @@ If you do not configure this policy setting, the actions that may be harmful can
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyMimeSniffingURLaction |
+| Name | IZ_PolicyMimeSniffingURLaction_7 |
| Friendly Name | Enable MIME Sniffing |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15231,13 +15414,13 @@ If you do not configure this policy setting, the user can choose whether path in
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_LocalPathForUpload |
+| Name | IZ_Policy_LocalPathForUpload_7 |
| Friendly Name | Include local path when user is uploading files to a server |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15298,13 +15481,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyScriptActiveXNotMarkedSafe |
+| Name | IZ_PolicyScriptActiveXNotMarkedSafe_7 |
| Friendly Name | Initialize and script ActiveX controls not marked as safe |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15369,13 +15552,13 @@ If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyJavaPermissions |
+| Name | IZ_PolicyJavaPermissions_7 |
| Friendly Name | Java permissions |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15434,13 +15617,13 @@ If you do not configure this policy setting, users are prevented from running ap
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyLaunchAppsAndFilesInIFRAME |
+| Name | IZ_PolicyLaunchAppsAndFilesInIFRAME_7 |
| Friendly Name | Launching applications and files in an IFRAME |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15507,13 +15690,13 @@ If you do not configure this policy setting, logon is set to Prompt for username
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyLogon |
+| Name | IZ_PolicyLogon_7 |
| Friendly Name | Logon options |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15572,13 +15755,13 @@ If you do not configure this policy setting, users cannot open other windows and
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNavigateSubframesAcrossDomains |
+| Name | IZ_PolicyNavigateSubframesAcrossDomains_7 |
| Friendly Name | Navigate windows and frames across different domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15639,13 +15822,13 @@ If you do not configure this policy setting, controls and plug-ins are prevented
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyRunActiveXControls |
+| Name | IZ_PolicyRunActiveXControls_7 |
| Friendly Name | Run ActiveX controls and plugins |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15680,7 +15863,7 @@ If you do not configure this policy setting, controls and plug-ins are prevented
-This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
@@ -15704,13 +15887,13 @@ If you do not configure this policy setting, Internet Explorer will not execute
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicySignedFrameworkComponentsURLaction |
+| Name | IZ_PolicySignedFrameworkComponentsURLaction_7 |
| Friendly Name | Run .NET Framework-reliant components signed with Authenticode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15771,13 +15954,13 @@ If you do not configure this policy setting, script interaction is prevented fro
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyScriptActiveXMarkedSafe |
+| Name | IZ_PolicyScriptActiveXMarkedSafe_7 |
| Friendly Name | Script ActiveX controls marked safe for scripting |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15838,13 +16021,13 @@ If you do not configure this policy setting, scripts are prevented from accessin
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyScriptingOfJavaApplets |
+| Name | IZ_PolicyScriptingOfJavaApplets_7 |
| Friendly Name | Scripting of Java applets |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15903,13 +16086,13 @@ If you do not configure this policy setting, the user can configure how the comp
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_UnsafeFiles |
+| Name | IZ_Policy_UnsafeFiles_7 |
| Friendly Name | Show security warning for potentially unsafe files |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -15968,13 +16151,13 @@ If you do not configure this policy setting, the user can turn on or turn off Pr
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_TurnOnProtectedMode |
+| Name | IZ_Policy_TurnOnProtectedMode_7 |
| Friendly Name | Turn on Protected Mode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -16033,13 +16216,13 @@ If you do not configure this policy setting, most unwanted pop-up windows are pr
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyBlockPopupWindows |
+| Name | IZ_PolicyBlockPopupWindows_7 |
| Friendly Name | Use Pop-up Blocker |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone |
@@ -16098,13 +16281,13 @@ If you do not configure this policy setting, the user's preference determines wh
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IESF_PolicyExplorerProcesses |
+| Name | IESF_PolicyExplorerProcesses_12 |
| Friendly Name | Internet Explorer Processes |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Security Features > Restrict File Download |
@@ -16163,13 +16346,13 @@ If you do not configure this policy setting, popup windows and other restriction
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IESF_PolicyExplorerProcesses |
+| Name | IESF_PolicyExplorerProcesses_8 |
| Friendly Name | Internet Explorer Processes |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions |
@@ -16228,7 +16411,7 @@ If you disable or do not configure this policy setting, the user can configure h
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -16292,7 +16475,7 @@ Also, see the "Security zones: Do not allow users to change policies" policy.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -16340,7 +16523,7 @@ Enabling this setting automatically opens all sites not included in the Enterpri
Disabling, or not configuring this setting, opens all sites based on the currently active browser.
-Note: If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11.
+**Note**: If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11.
@@ -16360,7 +16543,7 @@ Note: If you've also enabled the Administrative Templates\Windows Components\Mic
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -16447,7 +16630,7 @@ If you disable or do not configure this policy setting, ActiveX controls, includ
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -16513,13 +16696,13 @@ If you do not configure this policy setting, users can load a page in the zone t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAccessDataSourcesAcrossDomains |
+| Name | IZ_PolicyAccessDataSourcesAcrossDomains_5 |
| Friendly Name | Access data sources across domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
@@ -16578,13 +16761,13 @@ If you do not configure this policy setting, users will receive a prompt when a
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarActiveXURLaction |
+| Name | IZ_PolicyNotificationBarActiveXURLaction_5 |
| Friendly Name | Automatic prompting for ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
@@ -16641,13 +16824,13 @@ If you disable or do not configure this setting, users will receive a file downl
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNotificationBarDownloadURLaction |
+| Name | IZ_PolicyNotificationBarDownloadURLaction_5 |
| Friendly Name | Automatic prompting for file downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
@@ -16706,13 +16889,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyFontDownload |
+| Name | IZ_PolicyFontDownload_5 |
| Friendly Name | Allow font downloads |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
@@ -16771,13 +16954,13 @@ If you do not configure this policy setting, a warning is issued to the user tha
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyZoneElevationURLaction |
+| Name | IZ_PolicyZoneElevationURLaction_5 |
| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
@@ -16812,7 +16995,7 @@ If you do not configure this policy setting, a warning is issued to the user tha
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -16836,13 +17019,13 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction |
+| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_5 |
| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
@@ -16901,13 +17084,13 @@ If you do not configure this policy setting, the user can enable or disable scri
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_AllowScriptlets |
+| Name | IZ_Policy_AllowScriptlets_5 |
| Friendly Name | Allow scriptlets |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
@@ -16950,7 +17133,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
@@ -16968,13 +17151,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_Policy_Phishing |
+| Name | IZ_Policy_Phishing_5 |
| Friendly Name | Turn on SmartScreen Filter scan |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
@@ -17033,13 +17216,13 @@ If you do not configure this policy setting, users can preserve information in t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyUserdataPersistence |
+| Name | IZ_PolicyUserdataPersistence_5 |
| Friendly Name | Userdata persistence |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
@@ -17098,13 +17281,13 @@ If you don't configure this policy setting, Internet Explorer won't check with y
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls |
+| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 |
| Friendly Name | Don't run antimalware programs against ActiveX controls |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
@@ -17165,13 +17348,13 @@ If you do not configure this policy setting, users are queried whether to allow
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyScriptActiveXNotMarkedSafe |
+| Name | IZ_PolicyScriptActiveXNotMarkedSafe_5 |
| Friendly Name | Initialize and script ActiveX controls not marked as safe |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
@@ -17236,13 +17419,13 @@ If you do not configure this policy setting, the permission is set to Low Safety
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyJavaPermissions |
+| Name | IZ_PolicyJavaPermissions_5 |
| Friendly Name | Java permissions |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
@@ -17301,13 +17484,13 @@ If you do not configure this policy setting, users can open windows and frames f
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | IZ_PolicyNavigateSubframesAcrossDomains |
+| Name | IZ_PolicyNavigateSubframesAcrossDomains_5 |
| Friendly Name | Navigate windows and frames across different domains |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
@@ -17321,190 +17504,6 @@ If you do not configure this policy setting, users can open windows and frames f
-
-## AllowAutoComplete
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowAutoComplete
-```
-
-
-
-
-This AutoComplete feature can remember and suggest User names and passwords on Forms.
-
-If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords".
-
-If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords.
-
-If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | RestrictFormSuggestPW |
-| Friendly Name | Turn on the auto-complete feature for user names and passwords on forms |
-| Location | User Configuration |
-| Path | Windows Components > Internet Explorer |
-| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main |
-| Registry Value Name | FormSuggest Passwords |
-| ADMX File Name | inetres.admx |
-
-
-
-
-
-
-
-
-
-## DisableActiveXVersionListAutoDownload
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableActiveXVersionListAutoDownload
-```
-
-
-
-
-This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
-
-If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
-
-If you disable or don't configure this setting, IE continues to download updated versions of VersionList.XML.
-
-For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | VersionListAutomaticDownloadDisable |
-| Friendly Name | Turn off automatic download of the ActiveX VersionList |
-| Location | User Configuration |
-| Path | Windows Components > Internet Explorer > Security Features > Add-on Management |
-| Registry Key Name | Software\Microsoft\Internet Explorer\VersionManager |
-| Registry Value Name | DownloadVersionList |
-| ADMX File Name | inetres.admx |
-
-
-
-
-
-
-
-
-
-## DisableHomePageChange
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHomePageChange
-```
-
-
-
-
-The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.
-
-If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.
-
-If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | RestrictHomePage |
-| Friendly Name | Disable changing home page settings |
-| Location | User Configuration |
-| Path | Windows Components > Internet Explorer |
-| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Control Panel |
-| Registry Value Name | HomePage |
-| ADMX File Name | inetres.admx |
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 9fe15efb61..00c57f2f58 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -4,7 +4,7 @@ description: Learn more about the Kerberos Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 01/02/2023
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - Kerberos
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -66,13 +64,13 @@ If you disable or do not configure this policy setting, the Kerberos client does
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | forestsearch |
+| Name | ForestSearch |
| Friendly Name | Use forest search order |
| Location | Computer Configuration |
| Path | System > Kerberos |
@@ -192,7 +190,7 @@ If you disable or do not configure this policy setting, the client devices will
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -307,12 +305,19 @@ Events generated by this configuration: 205, 206, 207, 208.
-
-Configure SHA-1 hash algorithm for certificate logon
+
+This policy setting controls the configuration of the SHA1 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+- 1 - **Default**: This state sets the algorithm to the recommended state.
+- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, the SHA1 algorithm will assume the **Default** state.
@@ -368,12 +373,19 @@ Configure SHA-1 hash algorithm for certificate logon
-
-Configure SHA-256 hash algorithm for certificate logon
+
+This policy setting controls the configuration of the SHA256 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+- 1 - **Default**: This state sets the algorithm to the recommended state.
+- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, the SHA256 algorithm will assume the **Default** state.
@@ -429,12 +441,19 @@ Configure SHA-256 hash algorithm for certificate logon
-
-Configure SHA-384 hash algorithm for certificate logon
+
+This policy setting controls the configuration of the SHA384 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+- 1 - **Default**: This state sets the algorithm to the recommended state.
+- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, the SHA384 algorithm will assume the **Default** state.
@@ -490,12 +509,19 @@ Configure SHA-384 hash algorithm for certificate logon
-
-Configure SHA-512 hash algorithm for certificate logon
+
+This policy setting controls the configuration of the SHA512 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+- 1 - **Default**: This state sets the algorithm to the recommended state.
+- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, the SHA512 algorithm will assume the **Default** state.
@@ -554,11 +580,13 @@ Configure SHA-512 hash algorithm for certificate logon
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
-Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
+> [!WARNING]
+> When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
-Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
+> [!NOTE]
+> The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
@@ -578,7 +606,7 @@ If you disable or do not configure this policy setting, the client computers in
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -638,7 +666,7 @@ If you disable or do not configure this policy setting, the Kerberos client requ
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -684,7 +712,8 @@ If you enable this policy setting, the Kerberos client or server uses the config
If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
-Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
+> [!NOTE]
+> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
@@ -702,7 +731,7 @@ Note: This policy setting configures the existing MaxTokenSize registry value in
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -740,7 +769,8 @@ Note: This policy setting configures the existing MaxTokenSize registry value in
-Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.
+Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
+This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index a3014db5d5..361f69d2b9 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -4,7 +4,7 @@ description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CS
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 01/03/2023
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -98,9 +98,10 @@ This policy setting prevents users from adding new Microsoft accounts on this co
-This security setting determines whether the local Administrator account is enabled or disabled.
+This security setting determines whether the local Administrator account is enabled or disabled
-**Note** s If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. Default: Disabled.
+> [!NOTE]
+> If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. Default Disabled.
@@ -158,9 +159,10 @@ This security setting determines whether the local Administrator account is enab
-This security setting determines if the Guest account is enabled or disabled. Default: Disabled.
+This security setting determines if the Guest account is enabled or disabled. Default Disabled
-**Note**: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
+> [!NOTE]
+> If the Guest account is disabled and the security option Network Access Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
@@ -218,11 +220,13 @@ This security setting determines if the Guest account is enabled or disabled. De
-Accounts: Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Enabled.
+Accounts Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default Enabled
-**Warning**: Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
+> [!WARNING]
+> Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services
-**Note** s This setting does not affect logons that use domain accounts. It is possible for applications that use remote interactive logons to bypass this setting.
+> [!NOTE]
+> This setting does not affect logons that use domain accounts. It is possible for applications that use remote interactive logons to bypass this setting.
@@ -427,7 +431,10 @@ Devices: Allowed to format and eject removable media This security setting deter
-Devices: Allow undock without having to log on This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default: Enabled. Caution Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
+Devices Allow undock without having to log on This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default Enabled
+
+> [!CAUTION]
+> Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
@@ -976,9 +983,10 @@ Interactive logon: Message title for users attempting to log on This security se
-Interactive logon: Smart card removal behavior This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
+Interactive logon Smart card removal behavior This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation
-**Note**: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default: This policy is not defined, which means that the system treats it as No action. On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
+> [!NOTE]
+> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default This policy is not defined, which means that the system treats it as No action. On Windows Vista and above For this setting to work, the Smart Card Removal Policy service must be started.
@@ -1038,11 +1046,13 @@ Interactive logon: Smart card removal behavior This security setting determines
-Microsoft network client: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled.
+Microsoft network client Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default Disabled
-**Important**: For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
+> [!IMPORTANT]
+> For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client Digitally sign communications (if server agrees)
-**Note** s All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: .
+> [!NOTE]
+> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference .
@@ -1100,9 +1110,10 @@ Microsoft network client: Digitally sign communications (always) This security s
-Microsoft network client: Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled.
+Microsoft network client Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default Enabled
-**Note** s All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: .
+> [!NOTE]
+> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference .
@@ -1218,11 +1229,13 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
-Microsoft network server: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled for member servers. Enabled for domain controllers.
+Microsoft network server Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. Default Disabled for member servers. Enabled for domain controllers
-**Note** s All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+> [!NOTE]
+> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors
-**Important**: For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: Microsoft network server: Digitally sign communications (if server agrees) For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature For more information, reference: .
+> [!IMPORTANT]
+> For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy Microsoft network server Digitally sign communications (if server agrees) For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature For more information, reference .
@@ -1280,9 +1293,10 @@ Microsoft network server: Digitally sign communications (always) This security s
-Microsoft network server: Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled on domain controllers only.
+Microsoft network server Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default Enabled on domain controllers only
-**Important**: For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: .
+> [!IMPORTANT]
+> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000 HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference .
@@ -1398,9 +1412,10 @@ Network access: Allow anonymous SID/name translation This policy setting determi
-Network access: Do not allow anonymous enumeration of SAM accounts This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Enabled.
+Network access Do not allow anonymous enumeration of SAM accounts This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows Enabled Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. Disabled No additional restrictions. Rely on default permissions. Default on workstations Enabled. Default on serverEnabled
-**Important**: This policy has no impact on domain controllers.
+> [!IMPORTANT]
+> This policy has no impact on domain controllers.
@@ -1622,13 +1637,16 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
-Network security: Allow Local System to use computer identity for NTLM This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008.
+Network security Allow Local System to use computer identity for NTLM This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008
-**Note**: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.
+> [!NOTE]
+> Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.
+- When a service connects with the device identity, signing and encryption are supported to provide data protection.
+- When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed.
@@ -1743,9 +1761,10 @@ Network security: Allow PKU2U authentication requests to this computer to use on
-Network security: Do not store LAN Manager hash value on next password change This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. Default on Windows Vista and above: Enabled Default on Windows XP: Disabled.
+Network security Do not store LAN Manager hash value on next password change This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. Default on Windows Vista and above Enabled Default on Windows XP Disabled
-**Important**: Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
+> [!IMPORTANT]
+> Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
@@ -1803,9 +1822,10 @@ Network security: Do not store LAN Manager hash value on next password change Th
-Network security: Force logoff when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default: Enabled.
+Network security Force logoff when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default Enabled
-**Note**: This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers.
+> [!NOTE]
+> This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers.
@@ -1863,9 +1883,10 @@ Network security: Force logoff when logon hours expire This security setting det
-Network security LAN Manager authentication level This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
+Network security LAN Manager authentication level This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows Send LM and NTLM responses Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send LM and NTLM - use NTLMv2 session security if negotiated Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLM response only Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only\refuse LM Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). Send NTLMv2 response only\refuse LM and NTLM Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication)
-**Important**: This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. Default: Windows 2000 and windows XP: send LM and NTLM responses Windows Server 2003: Send NTLM response only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+> [!IMPORTANT]
+> This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. Default Windows 2000 and windows XP send LM and NTLM responses Windows Server 2003 Send NTLM response only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 Send NTLMv2 response only
@@ -2096,9 +2117,10 @@ Network security: Restrict NTLM: Add remote server exceptions for NTLM authentic
-Network security: Restrict NTLM: Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic. If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+Network security Restrict NTLM Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic. If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security Restrict NTLM Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security Restrict NTLM Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2
-**Note**: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+> [!NOTE]
+> Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
@@ -2157,9 +2179,10 @@ Network security: Restrict NTLM: Audit Incoming NTLM Traffic This policy setting
-Network security: Restrict NTLM: Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic. If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+Network security Restrict NTLM Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic. If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2
-**Note**: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+> [!NOTE]
+> Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
@@ -2218,9 +2241,10 @@ Network security: Restrict NTLM: Incoming NTLM traffic This policy setting allow
-Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+Network security Restrict NTLM Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security Restrict NTLM Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2
-**Note**: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+> [!NOTE]
+> Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
@@ -2453,9 +2477,10 @@ User Account Control: Allow UIAccess applications to prompt for elevation withou
-User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are: • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
+User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are • Elevate without prompting Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials
-**Note**: Use this option only in the most constrained environments. • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. • Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+> [!NOTE]
+> Use this option only in the most constrained environments. • Prompt for credentials on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. • Prompt for consent on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Prompt for consent When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for consent for non-Windows binaries (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
@@ -2750,9 +2775,10 @@ User Account Control: Only elevate UIAccess applications that are installed in s
-User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: • Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled: Admin Approval Mode and all related UAC policy settings are disabled.
+User Account Control Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are • Enabled (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled Admin Approval Mode and all related UAC policy settings are disabled
-**Note**: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+> [!NOTE]
+> If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.