diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index 70a990a885..8f9901dcb2 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -10,7 +10,7 @@ ms.localizationpriority: high
ms.date: 09/13/2017 #Previsou release date
---
-
+
# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
@@ -38,9 +38,8 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
| If you... | Then... |
| --- | --- |
-| Enable this setting (default) | Employees can see the Address bar drop-down functionality in Microsoft Edge. |
-| Disable this setting | Employees do not see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type."
Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. |
-|
+| Enable (default) | Employees can see the Address bar drop-down functionality in Microsoft Edge. |
+| Disable | Employees do not see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type."
Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. |
### Allow Adobe Flash
>*Supporteded version: Windows 10*
@@ -48,9 +47,8 @@ This policy setting lets you decide whether the Address bar drop-down functional
This policy setting lets you decide whether employees can run Adobe Flash on Microsoft Edge.
| If you… | Then… |
| --- | --- |
-| Enable or don’t configure this setting (default) | Employees can use Adobe Flash. |
-| Disable this setting | Employees cannot use Adobe Flash. |
-|
+| Enable or don’t configure (default) | Employees can use Adobe Flash. |
+| Disable | Employees cannot use Adobe Flash. |
### Allow clearing browsing data on exit
>*Supporteded versions: Windows 10, version 1703*
@@ -58,9 +56,8 @@ This policy setting lets you decide whether employees can run Adobe Flash on Mic
This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Clear browsing history on exit is turned on. |
-| Disable or don’t configure this setting (default) | Employees can turn on and configure the Clear browsing data option under Settings. |
-|
+| Enable | Clear browsing history on exit is turned on. |
+| Disable or don’t configure (default) | Employees can turn on and configure the Clear browsing data option under Settings. |
### Allow Developer Tools
>*Supporteded versions: Windows 10, version 1511 or later*
@@ -68,19 +65,17 @@ This policy setting allows the automatic clearing of browsing data when Microsof
This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.
| If you… | Then… |
| --- | --- |
-| Enable this setting (default) | F12 Developer Tools are available. |
-| Disable this setting | F12 Developer Tools are not available. |
-|
+| Enable (default) | F12 Developer Tools are available. |
+| Disable | F12 Developer Tools are not available. |
### Allow Extensions
>*Supporteded versions: Windows 10, version 1607 or later*
-This policy setting lets you decide whether employees can use Edge Extensions.
+This policy setting lets you decide whether employees can use Microsft Edge Extensions.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees can use Edge Extensions. |
-| Disable this setting | Employees cannot use Edge Extensions. |
-|
+| Enable | Employees can use Microsoft Edge Extensions. |
+| Disable | Employees cannot use Microsoft Edge Extensions. |
### Allow InPrivate browsing
>*Supporteded versions: Windows 10, version 1511 or later*
@@ -88,9 +83,8 @@ This policy setting lets you decide whether employees can use Edge Extensions.
This policy setting lets you decide whether employees can browse using InPrivate website browsing.
| If you… | Then… |
| --- | --- |
-| Enable this setting (default) | Employees can use InPrivate website browsing. |
-| Disable this setting | Employees cannot use InPrivate website browsing. |
-|
+| Enable (default) | Employees can use InPrivate website browsing. |
+| Disable | Employees cannot use InPrivate website browsing. |
### Allow Microsoft Compatibility List
>*Supporteded versions: Windows 10, version 1607 or later*
@@ -98,9 +92,8 @@ This policy setting lets you decide whether employees can browse using InPrivate
This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat.
| If you… | Then… |
| --- | --- |
-| Enable this setting (default) | Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation . Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site renders as though it’s in whatever version of IE is necessary for it to appear properly. |
-| Disable this setting | Browser navigation does not use the Microsoft Compatibility List. |
-|
+| Enable (default) | Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation . Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site renders as though it’s in whatever version of IE is necessary for it to appear properly. |
+| Disable | Browser navigation does not use the Microsoft Compatibility List. |
### Allow search engine customization
>*Supported versions: Windows 10, version 1703*
@@ -111,20 +104,18 @@ For more info, see the [Microsoft browser extension policy](http://aka.ms/browse
| If you… | Then… |
| --- | --- |
-| Enable or don’t configure this setting (default) | Employees can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings. |
-| Disable this setting | Employees cannot add search engines or change the default used in the Address bar. |
-|
+| Enable or don’t configure (default) | Employees can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings. |
+| Disable | Employees cannot add search engines or change the default used in the Address bar. |
### Allow web content on New Tab page
>*Supported versions: Windows 10*
-This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it.
+This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees cannot change it.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Microsoft Edge opens a new tab with the New Tab page. |
-| Disable this setting | Microsoft Edge opens a new tab with a blank page. |
-| Do not configure this setting (default) | Employees can choose how new tabs appear. |
-|
+| Enable | Microsoft Edge opens a new tab with the New Tab page. |
+| Disable | Microsoft Edge opens a new tab with a blank page. |
+| Do not configure (default) | Employees can choose how new tabs appear. |
### Configure additional search engines
>*Supported versions: Windows 10, version 1703*
@@ -132,9 +123,8 @@ This policy setting lets you configure what appears when Microsoft Edge opens a
This policy setting lets you add up to 5 additional search engines, which cannot be removed by your employees but can make a personal default engine. This setting does not set the default search engine. For that, you must use the "Set default search engine" setting.
| If you… | Then… |
| --- | --- |
-| Enable this setting | You can add up to 5 additional search engines. For each additional search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:
``
For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. | Disable this setting (default) | Any added search engines are removed from the employee’s device. |
-| Do not configure this setting | The search engine list is set to what is specified in App settings. |
-|
+| Enable | You can add up to 5 additional search engines. For each additional search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:
``
For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. | Disable setting (default) | Any added search engines are removed from the employee’s device. |
+| Do not configure | The search engine list is set to what is specified in App settings. |
### Configure Autofill
>*Supported versions: Windows 10*
@@ -142,10 +132,9 @@ This policy setting lets you add up to 5 additional search engines, which cannot
This policy setting lets you decide whether employees can use Autofill the form fields automatically while using Microsoft Edge. By default, employees can choose whether to use Autofill.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees can use Autofill to populate form fields automatically. |
-| Disable this setting | Employees cannot use Autofill to populate form fields automatically. |
-| Do not configure this setting (default) | Employees can choose whether to use Autofill to populate the form fields automatically. |
-|
+| Enable | Employees can use Autofill to populate form fields automatically. |
+| Disable | Employees cannot use Autofill to populate form fields automatically. |
+| Do not configure (default) | Employees can choose whether to use Autofill to populate the form fields automatically. |
### Configure cookies
>*Supported versions: Windows 10*
@@ -153,9 +142,8 @@ This policy setting lets you decide whether employees can use Autofill the form
This setting lets you configure how to work with cookies.
| If you… | Then… |
| --- | --- |
-| Enable this setting (default) | You must also decide whether to:
**Allow all cookies (default)** from all websites.
**Block all cookies** from all websites.
**Block only 3rd-party cookies** from 3rd-party websites.
|
-| Disable or do not configure this setting | All cookies are allowed from all sites. |
-|
+| Enable (default) | You must also decide whether to:
**Allow all cookies (default)** from all websites.
**Block all cookies** from all websites.
**Block only 3rd-party cookies** from 3rd-party websites.
|
+| Disable or do not configure | All cookies are allowed from all sites. |
### Configure Do Not Track
>*Supported versions: Windows 10*
@@ -163,10 +151,9 @@ This setting lets you configure how to work with cookies.
This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests are never sent, but employees can choose to turn on and send requests.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Do Not Track requests are always sent to websites asking for tracking information. |
-| Disable this setting | Do Not Track requests are never sent to websites asking for tracking information. |
-| Do not configure this setting (default) | Employees can choose whether to send Do Not Track requests to websites asking for tracking information. |
-|
+| Enable | Do Not Track requests are always sent to websites asking for tracking information. |
+| Disable | Do Not Track requests are never sent to websites asking for tracking information. |
+| Do not configure (default) | Employees can choose whether to send Do Not Track requests to websites asking for tracking information. |
### Configure Favorites
>*Supported versions: Windows 10, version 1511 or later*
@@ -174,9 +161,8 @@ This policy setting lets you decide whether employees can send Do Not Track requ
This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time.
| If you… | Then… |
| --- | --- |
-| Enable this setting | You must provide a list of Favorites in the Options section. The list imports automatically after you deploy this policy. |
-| Disable or do not configure this setting | Employees will see the Favorites that they set in the Favorites hub. |
-|
+| Enable | You must provide a list of Favorites in the Options section. The list imports automatically after you deploy this policy. |
+| Disable or do not configure | Employees will see the Favorites that they set in the Favorites hub. |
### Configure Password Manager
>*Supported versions: Windows 10*
@@ -184,10 +170,9 @@ This policy setting lets you configure the default list of Favorites that appear
This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on.
| If you… | Then… |
| --- | --- |
-| Enable this setting (default) | Employees can use Password Manager to save their passwords locally. |
-| Disable this setting | Employees can’t use Password Manager to save their passwords locally. |
-| Do not configure this setting | Employees can choose whether to use Password Manager to save their passwords locally. |
-|
+| Enable (default) | Employees can use Password Manager to save their passwords locally. |
+| Disable | Employees cannot use Password Manager to save their passwords locally. |
+| Do not configure | Employees can choose whether to use Password Manager to save their passwords locally. |
### Configure Pop-up Blocker
>*Supported versions: Windows 10*
@@ -195,10 +180,9 @@ This policy setting lets you decide whether employees can save their passwords l
This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.
| If you… | Then… |
| --- | --- |
-| Enable this setting (default) | Pop-up Blocker is turned on, stopping pop-up windows from appearing. |
-| Disable this setting | Pop-up Blocker is turned off, letting pop-up windows appear. |
-| Do not configure this setting | Employees can choose whether to use Pop-up Blocker. |
-|
+| Enable (default) | Pop-up Blocker is turned on, stopping pop-up windows from appearing. |
+| Disable | Pop-up Blocker is turned off, letting pop-up windows appear. |
+| Do not configure | Employees can choose whether to use Pop-up Blocker. |
### Configure search suggestions in Address bar
>*Supported versions: Windows 10*
@@ -206,10 +190,9 @@ This policy setting lets you decide whether to turn on Pop-up Blocker. By defaul
This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees can see search suggestions in the Address bar. |
-| Disable this setting | Employees cannot see search suggestions in the Address bar. |
-| Do not configure this setting (default) | Employees can choose whether search suggestions appear in the Address bar. |
-|
+| Enable | Employees can see search suggestions in the Address bar. |
+| Disable | Employees cannot see search suggestions in the Address bar. |
+| Do not configure (default) | Employees can choose whether search suggestions appear in the Address bar. |
### Configure Start pages
>*Supported versions: Windows 10, version 1511 or later*
@@ -217,9 +200,8 @@ This policy setting lets you decide whether search suggestions appear in the Add
This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees will not be able to change this after you set it.
| If you… | Then… |
| --- | --- |
-| Enable this setting | You must include URLs to the pages, separating multiple pages by using angle brackets in this format:
`` |
-| Disable or do not configure this setting (default) | The default Start page is the webpage specified in App settings. |
-|
+| Enable | You must include URLs to the pages, separating multiple pages by using angle brackets in this format:
`` |
+| Disable or do not configure (default) | The default Start page is the webpage specified in App settings. |
### Configure the Adobe Flash Click-to-Run setting
>*Supported versions: Windows 10, version 1703*
@@ -227,9 +209,8 @@ This policy setting lets you configure one or more Start pages, for domain-joine
This policy setting lets you decide whether employees must take action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
| If you… | Then… |
| --- | --- |
-| Enable or don’t configure this setting< | Employees must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. |
-| Disable this setting | Adobe Flash loads automatically and runs in Microsoft Edge. |
-|
+| Enable or don’t configure | Employees must click the content, click the Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. |
+| Disable | Adobe Flash loads automatically and runs in Microsoft Edge. |
### Configure the Enterprise Mode Site List
>*Supported versions: Windows 10*
@@ -237,9 +218,8 @@ This policy setting lets you decide whether employees must take action, such as
This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.
| If you… | Then… |
| --- | --- |
-| Enable this setting | You must add the location to your site list in the **{URI}** box. When configured, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. |
-Disable or do not configure this setting (default) | Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. |
-|
+| Enable | You must add the location to your site list in the **{URI}** box. When configured, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. |
+Disable or do not configure (default) | Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. |
>[!Note]
>If there is a .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server has a different version number than the version in the cache container, the server file is used and stored in the cache container.
@@ -251,10 +231,9 @@ Disable or do not configure this setting (default) | Microsoft Edge won’t use
This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Windows Defender SmartScreen is turned on, and employees cannot turn it off. |
-| Disable this setting | Windows Defender SmartScreen is turned off, and employees cannot turn it on. |
-| Do not configure this setting | Employees can choose whether to use Windows Defender SmartScreen. |
-|
+| Enable | Windows Defender SmartScreen is turned on, and employees cannot turn it off. |
+| Disable | Windows Defender SmartScreen is turned off, and employees cannot turn it on. |
+| Do not configure | Employees can choose whether to use Windows Defender SmartScreen. |
### Disable lockdown of Start pages
>*Supported versions: Windows 10, version 1703*
@@ -265,9 +244,8 @@ For more info, see the [Microsoft browser extension policy](http://aka.ms/browse
| If you… | Then… |
| --- | --- |
-| Enable this setting | You cannot lock down Start pages that are configured using the “Configure Start pages” setting. Employees can, therefore, modify the pages. |
-| Disable or do not configure this setting (default) | Employees cannot change Start pages configured using the “Configure Start pages” setting. |
-|
+| Enable | You cannot lock down Start pages that are configured using the “Configure Start pages” setting. Employees can, therefore, modify the pages. |
+| Disable or do not configure (default) | Employees cannot change Start pages configured using the “Configure Start pages” setting. |
### Keep favorites in sync between Internet Explorer and Microsoft Edge
>*Supported versions: Windows 10, version 1703*
@@ -278,9 +256,8 @@ This policy setting lets you decide whether people can sync their favorites betw
[@Reviewer: what is the default: enable or disable?] -->
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees can sync their favorites between Internet Explorer and Microsoft Edge.
Enabling this setting stops Edge favorites from syncing between connected Windows 10 devices. |
-| Disable or do not configure this setting | Employees cannot sync their favorites between Internet Explorer and Microsoft Edge. |
-|
+| Enable | Employees can sync their favorites between Internet Explorer and Microsoft Edge.
Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices. |
+| Disable or do not configure | Employees cannot sync their favorites between Internet Explorer and Microsoft Edge. |
### Prevent access to the about:flags page
>*Supported versions: Windows 10, version 1607 or later*
@@ -288,9 +265,8 @@ This policy setting lets you decide whether people can sync their favorites betw
This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees cannot access the about:flags page. |
-| Disable or do not configure this setting (default) | Employees can access the about:flags page. |
-|
+| Enable | Employees cannot access the about:flags page. |
+| Disable or do not configure (default) | Employees can access the about:flags page. |
### Prevent bypassing Windows Defender SmartScreen prompts for files
>*Supported versions: Windows 10, version 1511 or later*
@@ -298,18 +274,16 @@ This policy setting lets you decide whether employees can access the about:flags
This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees cannot ignore Windows Defender SmartScreen warnings when downloading files. |
-| Disable or do not configure this setting (default) | Employees can ignore Windows Defender SmartScreen warnings and can continue the download process. |
-|
+| Enable | Employees cannot ignore Windows Defender SmartScreen warnings when downloading files. |
+| Disable or do not configure (default) | Employees can ignore Windows Defender SmartScreen warnings and can continue the download process. |
### Prevent bypassing Windows Defender SmartScreen prompts for sites
>*Supported versions: Windows 10, version 1511 or later*
This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees cannot ignore Windows Defender SmartScreen warnings and prevents them from continuing to the site. |
-| Disable or do not configure this setting (default) | Employees can ignore Windows Defender SmartScreen warnings, allowing them to continue to the site. |
-|
+| Enable | Employees cannot ignore Windows Defender SmartScreen warnings and prevents them from continuing to the site. |
+| Disable or do not configure (default) | Employees can ignore Windows Defender SmartScreen warnings, allowing them to continue to the site. |
### Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
>*Supported versions: Windows 10, version 1703*
@@ -317,9 +291,8 @@ This policy setting lets you decide whether employees can override the Windows D
This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Microsoft Edge does not gather the Live Tile metadata, providing a minimal experience. |
-| Disable or do not configure this setting (default) | Microsoft Edge gathers the Live Tile metadata, providing a fuller and complete experience. |
-|
+| Enable | Microsoft Edge does not gather the Live Tile metadata, providing a minimal experience. |
+| Disable or do not configure (default) | Microsoft Edge gathers the Live Tile metadata, providing a fuller and complete experience. |
### Prevent the First Run webpage from opening on Microsoft Edge
@@ -328,9 +301,8 @@ This policy lets you decide whether Microsoft Edge can gather Live Tile metadata
This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time.
| If you… | Then… |
| --- | --- |
-| Enable this settin | Employees do not see the First Run page. |
-| Disable or do not configure this setting (default) | Employees see the First Run page. |
-|
+| Enable | Employees do not see the First Run page. |
+| Disable or do not configure (default) | Employees see the First Run page. |
### Prevent using Localhost IP address for WebRTC
>*Supported versions: Windows 10, version 1511 or later*
@@ -338,9 +310,8 @@ This policy setting lets you decide whether employees see Microsoft's First Run
This policy setting lets you decide whether localhost IP addresses are visible or hidden while making calls to the WebRTC protocol.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Localhost IP addresses are hidden. |
-| Disable or do not configure this setting (default) | Localhost IP addresses are visible. |
-|
+| Enable | Localhost IP addresses are hidden. |
+| Disable or do not configure (default) | Localhost IP addresses are visible. |
### Send all intranet sites to Internet Explorer 11
>*Supported versions: Windows 10*
@@ -348,9 +319,8 @@ This policy setting lets you decide whether localhost IP addresses are visible o
This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.
| If you… | Then… |
| --- | --- |
-| Enable this setting | All intranet sites are opened in Internet Explorer 11 automatically. |
-| Disable or do not configure this setting (default) | All websites, including intranet sites, open in Microsoft Edge. |
-|
+| Enable | All intranet sites are opened in Internet Explorer 11 automatically. |
+| Disable or do not configure (default) | All websites, including intranet sites, open in Microsoft Edge. |
### Set default search engine
>*Supported versions: Windows 10, version 1703*
@@ -361,10 +331,10 @@ For more info, see the [Microsoft browser extension policy](http://aka.ms/browse
| If you… | Then… |
| --- | --- |
-| Enable this setting | To set a default search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:
`https://fabrikam.com/opensearch.xml` |
-| Disable this setting | The policy-set default search engine is removed. If this is also the current in-use default, the search engine changes to the Microsoft Edge specified engine for the market . |
-| Do not configure this setting | The default search engine is set to the one specified in App settings. |
-|
+| Enable | To set a default search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:
`https://fabrikam.com/opensearch.xml` |
+| Disable | The policy-set default search engine is removed. If this is also the current in-use default, the search engine changes to the Microsoft Edge specified engine for the market . |
+| Do not configure | The default search engine is set to the one specified in App settings. |
+
>[!Important]
>If you'd like your employees to use the default Microsoft Edge settings for each market , you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING.
@@ -374,9 +344,8 @@ For more info, see the [Microsoft browser extension policy](http://aka.ms/browse
This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
| If you… | Then… |
| --- | --- |
-| Enable this setting | Employees see an additional page. |
-| Disable or do not configure this setting (default) | No additional pages display. |
-|
+| Enable | Employees see an additional page. |
+| Disable or do not configure (default) | No additional pages display. |
## Using Microsoft Intune to manage your Mobile Device Management (MDM) settings for Microsoft Edge
If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page.
@@ -419,7 +388,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Employees can’t use Autofill to complete form fields.
+ - **0.** Employees cannot use Autofill to complete form fields.
- **1 (default).** Employees can use Autofill to complete form fields.
@@ -436,7 +405,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Employees can’t use Microsoft Edge.
+ - **0.** Employees cannot use Microsoft Edge.
- **1 (default).** Employees can use Microsoft Edge.
@@ -506,7 +475,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Employees can’t use Edge Extensions.
+ - **0.** Employees cannot use Edge Extensions.
- **1 (default).** Employees can use Edge Extensions.
@@ -523,7 +492,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Not allowed. Employees can’t use Adobe Flash.
+ - **0.** Not allowed. Employees cannot use Adobe Flash.
- **1 (default).** Allowed. Employees can use Adobe Flash.
@@ -557,7 +526,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Employees can’t use InPrivate browsing.
+ - **0.** Employees cannot use InPrivate browsing.
- **1 (default).** Employees can use InPrivate browsing.
@@ -574,7 +543,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Additional search engines are not allowed and the default can’t be changed in the Address bar.
+ - **0.** Additional search engines are not allowed and the default cannot be changed in the Address bar.
- **1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.
@@ -625,7 +594,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Additional search engines are not allowed and the default can’t be changed in the Address bar.
+ - **0.** Additional search engines are not allowed and the default cannot be changed in the Address bar.
- **1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.
@@ -643,7 +612,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0 (default).** Employees can’t see search suggestions in the Address bar of Microsoft Edge.
+ - **0 (default).** Employees cannot see search suggestions in the Address bar of Microsoft Edge.
- **1.** Employees can see search suggestions in the Address bar of Microsoft Edge.
@@ -1018,7 +987,7 @@ These are additional Windows 10-specific MDM policy settings that work with Mic
- **Allowed values:**
- - **0.** Employees can’t use Cortana on their devices.
+ - **0.** Employees cannot use Cortana on their devices.
- **1 (default).** Employees can use Cortana on their devices.
@@ -1033,7 +1002,7 @@ These are additional Windows 10-specific MDM policy settings that work with Mic
- **Allowed values:**
- - **0.** Employees can’t sync settings between PCs.
+ - **0.** Employees cannot sync settings between PCs.
- **1 (default).** Employees can sync between PCs.
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
index b932073a8f..d1b54552d1 100644
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ b/education/trial-in-a-box/educator-tib-get-started.md
@@ -108,6 +108,7 @@ Microsoft OneNote organizes curriculum and lesson plans for teachers and student
**Try this!**
See how a group project comes together with opportunities to interact with other students and collaborate with peers. This one works best with the digital pen, included with your Trial in a Box.
+When you're not using the pen, just use the magnet to stick it to the left side of the screen until you need it again.
1. On the **Start** menu, click the OneNote shortcut named **Imagine Giza** to open the **Reimagine the Great Pyramid of Giza project**.
2. Take the digital pen out of the box and make notes or draw.
@@ -121,7 +122,7 @@ See how a group project comes together with opportunities to interact with other
- - The Researcher tool from the Insert tab can help find answers.
+ - To find information without leaving OneNote, use the Researcher tool found under the Insert tab.
@@ -153,8 +154,9 @@ Today, we'll explore a Minecraft world through the eyes of a student.
9. Explore the world by using the keys on your keyboard.
* **W** moves forward.
* **A** moves left.
- * **D** moves right.
- * **S** moves backward
+ * **S** moves right.
+ * **D** moves backward.
+
10. Use your mouse as your "eyes". Just move it to look around.
11. For a bird's eye view, double-tap the SPACE BAR. Now press the SPACE BAR to fly higher. And then hold the SHIFT key to safely land.
diff --git a/education/trial-in-a-box/images/onenote_checkmark.PNG b/education/trial-in-a-box/images/onenote_checkmark.PNG
deleted file mode 100644
index fc6cccebc4..0000000000
Binary files a/education/trial-in-a-box/images/onenote_checkmark.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/onenote_checkmark.png b/education/trial-in-a-box/images/onenote_checkmark.png
new file mode 100644
index 0000000000..1d276b4c1d
Binary files /dev/null and b/education/trial-in-a-box/images/onenote_checkmark.png differ
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 1ac5a9f388..ca5fd03714 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -155,6 +155,8 @@
#### [Maps DDF](maps-ddf-file.md)
### [Messaging CSP](messaging-csp.md)
#### [Messaging DDF file](messaging-ddf.md)
+### [MultiSIM CSP](multisim-csp.md)
+#### [MultiSIM DDF file](multisim-ddf.md)
### [NAP CSP](nap-csp.md)
### [NAPDEF CSP](napdef-csp.md)
### [NetworkProxy CSP](networkproxy-csp.md)
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 99f4d3a1a1..554704a16d 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 02/22/2018
+ms.date: 03/01/2018
---
# AssignedAccess CSP
@@ -62,7 +62,8 @@ The supported operations are Add, Delete, Get and Replace. When there's no confi
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
> [!Note]
-> You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709.
+> You cannot set both KioskModeApp and Configuration at the same time on the device in Windows 10, version 1709.
+> You cannot set both ShellLauncher and Configuration at the same time on the device.
Enterprises can use this to easily configure and manage the curated lockdown experience.
@@ -98,6 +99,9 @@ Supported operation is Get.
**./Device/Vendor/MSFT/AssignedAccess/ShellLauncher**
Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema.
+> [!Note]
+> You cannot set both ShellLauncher and Configuration at the same time on the device.
+
**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration**
Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema.
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 16f80bc1f1..e7ed3131c8 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -1295,6 +1295,34 @@ Footnotes:
+
+[MultiSIM CSP](multisim-csp.md)
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
4
+
4
+
4
+
4
+
4
+
4
+
4
+
+
+
+
+
+
[NAP CSP](nap-csp.md)
diff --git a/windows/client-management/mdm/images/provisioning-csp-multisim.png b/windows/client-management/mdm/images/provisioning-csp-multisim.png
new file mode 100644
index 0000000000..86473079f4
Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-multisim.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-update.png b/windows/client-management/mdm/images/provisioning-csp-update.png
index d98b7fcea1..e88466a113 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-update.png and b/windows/client-management/mdm/images/provisioning-csp-update.png differ
diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md
new file mode 100644
index 0000000000..9467b896ff
--- /dev/null
+++ b/windows/client-management/mdm/multisim-csp.md
@@ -0,0 +1,58 @@
+---
+title: MultiSIM CSP
+description: MultiSIM CSP allows the enterprise to manage devices with dual SIM single active configuration.
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 02/27/2018
+---
+
+# MultiSIM CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. This CSP was added in Windows 10, version 1803.
+
+
+The following diagram shows the MultiSIM configuration service provider in tree format.
+
+
+
+**./Device/Vendor/MSFT/MultiSIM**
+Root node.
+
+**_ModemID_**
+Node representing a Mobile Broadband Modem. The node name is the modem ID. Modem ID is a GUID without curly braces, with exception of "Embedded" which represents the embedded modem.
+
+**_ModemID_/Identifier**
+Modem ID.
+
+**_ModemID_/IsEmbedded**
+Indicates whether this modem is embedded or external.
+
+**_ModemID_/Slots**
+Represents all SIM slots in the Modem.
+
+**_ModemID_/Slots/_SlotID_**
+Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format is "0", "1", etc., with exception of "Embedded" which represents the embedded Slot.
+
+**_ModemID_/Slots/_SlotID_/Identifier**
+Slot ID.
+
+**_ModemID_/Slots/_SlotID_/IsEmbedded**
+Indicates whether this Slot is embedded or a physical SIM slot.
+
+**_ModemID_/Slots/_SlotID_/IsSelected**
+Indicates whether this Slot is selected or not.
+
+**_ModemID_/Slots/_SlotID_/State**
+Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8)
+
+**_ModemID_/Policies**
+Policies associated with the Modem.
+
+**_ModemID_/Policies/SlotSelectionEnabled**
+Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
\ No newline at end of file
diff --git a/windows/client-management/mdm/multisim-ddf.md b/windows/client-management/mdm/multisim-ddf.md
new file mode 100644
index 0000000000..ccdbecbaee
--- /dev/null
+++ b/windows/client-management/mdm/multisim-ddf.md
@@ -0,0 +1,291 @@
+---
+title: MultiSIM DDF file
+description: XML file containing the device description framework
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 02/27/2018
+---
+
+# MultiSIM CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic shows the OMA DM device description framework (DDF) for the **MultiSIM** configuration service provider.
+
+The XML below is for Windows 10, version 1803.
+
+``` syntax
+
+]>
+
+ 1.2
+
+ MultiSIM
+ ./Device/Vendor/MSFT
+
+
+
+
+ Subtree for multi-SIM management.
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.0/MDM/MultiSIM
+
+
+
+
+
+
+
+
+
+ Node representing a Mobile Broadband Modem. The node name is the Modem ID. Modem ID is a GUID without curly braces, with exception of "Embedded" which represents the embedded Modem.
+
+
+
+
+
+
+
+
+
+ ModemID
+
+
+
+
+
+ Identifier
+
+
+
+
+ Modem ID.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsEmbedded
+
+
+
+
+ Indicates whether this Modem is embedded or external.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Slots
+
+
+
+
+ Represents all SIM slots in the Modem.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format is "0", "1", etc., with exception of "Embedded" which represents the embedded Slot.
+
+
+
+
+
+
+
+
+
+ SlotID
+
+
+
+
+
+ Identifier
+
+
+
+
+ Slot ID.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsEmbedded
+
+
+
+
+ Indicates whether this Slot is embedded or a physical SIM slot.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsSelected
+
+
+
+
+
+ Indicates whether this Slot is selected or not.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ State
+
+
+
+
+ Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8)
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+ Policies
+
+
+
+
+ Policies associated with the Modem.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SlotSelectionEnabled
+
+
+
+
+
+ true
+ Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 17ab0d9a6c..46bd55a93f 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 02/05/2018
+ms.date: 02/26/2018
---
# What's new in MDM enrollment and management
@@ -1410,6 +1410,16 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
+
### TaskScheduler policies
@@ -2820,6 +2824,9 @@ The following diagram shows the Policy configuration service provider in tree fo
### TextInput policies
Cellular/ShowAppCellularAccessUI
@@ -103,7 +103,7 @@ The following list shows the supported values:
-**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps**
+**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps**
@@ -146,7 +146,7 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps**
+**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps**
@@ -189,7 +189,7 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps**
+**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps**
@@ -561,7 +564,7 @@ The following list shows the supported values:
2
2
2
-
2
+
@@ -672,11 +675,11 @@ The following list shows the supported values:
1
-
1
1
+
@@ -781,12 +784,12 @@ The following list shows the supported values:
-
-
+
+
@@ -795,7 +798,7 @@ The following list shows the supported values:
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
-> * User
+> * Device
@@ -838,11 +841,11 @@ The following list shows the supported values:
-
1
1
+
@@ -896,7 +899,7 @@ The following list shows the supported values:
2
2
-
2
+
@@ -932,6 +935,67 @@ The following list shows the supported values:
+
+**Experience/AllowWindowsSpotlightOnSettings**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
4
+
4
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Added in Windows 10, version 1083. This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make thier experience productive.
+
+- User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app.
+- User Setting is changeable on a per user basis.
+- If the Group policy is set to off, no suggestions will be shown to the user in Settings app.
+
+
+
+The following list shows the supported values:
+
+- 0 - Not allowed.
+- 1 - Allowed.
+
+
+
+
+
+
+
+
+
+
+
+
+
**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
@@ -951,7 +1015,7 @@ The following list shows the supported values:
2
2
-
2
+
@@ -1004,12 +1068,12 @@ The following list shows the supported values:
-
-
+
+
@@ -1055,11 +1119,11 @@ The following list shows the supported values:
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies text prediction for hardware keyboard is always disabled. When this policy is set to 0, text prediction for hardware keyboard is always disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 – Text prediction for the hardware keyboard is disabled and the switch is unusable (user cannot activate the feature).
+- 1 (default) – Text prediction for the hardware keyboard is enabled. User can change the setting.
+
+
+
+
@@ -806,8 +883,416 @@ The following list shows the supported values:
+
+
+**TextInput/ForceTouchKeyboardDockedState**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies the touch keyboard is always docked. When this policy is set to enabled, the touch keyboard is always docked.
+
+
+
+The following list shows the supported values:
+
+- 0 - (default) - The OS determines when it's most appropriate to be available.
+- 1 - Touch keyboard is always docked.
+- 2 - Touch keyboard docking can be changed.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardDictationButtonAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the dictation input button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the dictation input button on touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Dictation button on the keyboard is always available.
+- 2 - Dictation button on the keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardEmojiButtonAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the emoji button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the emoji button on touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Emoji button on keyboard is always available.
+- 2 - Emoji button on keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardFullModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the full keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the full keyboard mode for touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Full keyboard is always available.
+- 2 - Full keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardHandwritingModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the handwriting input panel is enabled or disabled. When this policy is set to disabled, the handwriting input panel is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Handwriting input panel is always available.
+- 2 - Handwriting input panel is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardNarrowModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the narrow keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the narrow keyboard mode for touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Narrow keyboard is always available.
+- 2 - Narrow keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardSplitModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the split keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the split keyboard mode for touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Split keyboard is always available.
+- 2 - Split keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardWideModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the wide keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the wide keyboard mode for touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Wide keyboard is always available.
+- 2 - Wide keyboard is always disabled.
+
+
+
+
+
Footnote:
- 1 - Added in Windows 10, version 1607.
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 72cac2741a..406db3df06 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 02/26/2018
---
# Policy DDF file
@@ -24,7 +24,7 @@ You can download the DDF files from the links below:
- [Download the Policy DDF file for Windows 10, version 1607 release 8C](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)
- [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)
-The XML below is the DDF for Windows 10, version 1709.
+The XML below is the DDF for Windows 10, version 1803.
``` syntax
@@ -50,7 +50,7 @@ The XML below is the DDF for Windows 10, version 1709.
- com.microsoft/6.0/MDM/Policy
+ com.microsoft/7.0/MDM/Policy
@@ -58,8 +58,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -79,8 +79,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -125,8 +125,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -219,8 +219,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -265,8 +265,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -359,8 +359,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -447,6 +447,30 @@ The XML below is the DDF for Windows 10, version 1709.
+
+ AllowConfigurationUpdateForBooksLibrary
+
+
+
+
+
+
+
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowCookies
@@ -875,6 +899,30 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+
+
+
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ EnterpriseModeSiteList
@@ -1131,6 +1179,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ PreventTabPreloading
+
+
+
+
+
+
+
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventUsingLocalHostIPAddressForWebRTC
@@ -1288,14 +1360,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ UseSharedFolderForBooks
+
+
+
+
+
+
+
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ CredentialsUI
-
+
@@ -1340,8 +1436,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -1381,13 +1477,59 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ Display
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Education
-
+
@@ -1480,8 +1622,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -1646,8 +1788,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -1710,30 +1852,6 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
- AllowWindowsConsumerFeatures
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- AllowWindowsSpotlight
@@ -1782,6 +1900,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowWindowsSpotlightOnSettings
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowWindowsSpotlightWindowsWelcomeExperience
@@ -1836,8 +1978,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -3508,6 +3650,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -4828,6 +4994,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LockedDownIntranetZoneAllowAccessToDataSources
@@ -6652,6 +6842,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -7541,13 +7755,179 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BlockedUrls
+
+
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DefaultURL
+
+
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableHomeButton
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableNavigationButtons
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RestartOnIdleTime
+
+
+
+
+
+
+
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Notifications
-
+
@@ -7592,8 +7972,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7638,8 +8018,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7684,8 +8064,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7700,6 +8080,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DisableContextMenus
+
+
+
+
+
+
+
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HidePeopleBar
@@ -7754,8 +8158,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7795,6 +8199,52 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Result
@@ -7840,8 +8290,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -7854,6 +8304,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ RequirePrivateStoreOnly_1HighestValueMostSecure
@@ -7883,8 +8337,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7910,8 +8364,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7937,8 +8391,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7984,8 +8438,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -8028,8 +8482,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -8055,8 +8509,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -8082,8 +8536,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -8129,8 +8583,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.1
+ This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
@@ -8145,6 +8599,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAddressBarDropdownLowestValueMostSecure
@@ -8154,8 +8611,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.0
+ This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.
@@ -8169,6 +8626,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAutofillLowestValueMostSecure
@@ -8178,8 +8638,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -8198,13 +8658,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- AllowCookies
+ AllowConfigurationUpdateForBooksLibrary
- This setting lets you configure how your company deals with cookies.
- 2
+ 1
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
@@ -8217,6 +8677,35 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowCookies
+
+
+
+
+ 2
+ This setting lets you configure how your company deals with cookies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ CookiesListBox
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ CookiesLowestValueMostSecure
@@ -8226,8 +8715,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.1
+ This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.
@@ -8242,6 +8731,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDeveloperToolsLowestValueMostSecure
@@ -8251,8 +8743,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.0
+ This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.
@@ -8266,6 +8758,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDoNotTrackLowestValueMostSecure
@@ -8275,8 +8770,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can load extensions in Microsoft Edge.1
+ This setting lets you decide whether employees can load extensions in Microsoft Edge.
@@ -8291,6 +8786,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowExtensionsLowestValueMostSecure
@@ -8300,8 +8798,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.1
+ This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
@@ -8316,6 +8814,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashHighestValueMostSecure
@@ -8325,8 +8826,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Configure the Adobe Flash Click-to-Run setting.1
+ Configure the Adobe Flash Click-to-Run setting.
@@ -8341,6 +8842,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashClickToRunHighestValueMostSecure
@@ -8350,8 +8854,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can browse using InPrivate website browsing.1
+ This setting lets you decide whether employees can browse using InPrivate website browsing.
@@ -8365,6 +8869,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowInPrivateLowestValueMostSecure
@@ -8374,12 +8881,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 1This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.
- 1
@@ -8393,6 +8900,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowCVListLowestValueMostSecure
@@ -8402,8 +8912,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether employees can save their passwords locally, using Password Manager.1
+ This setting lets you decide whether employees can save their passwords locally, using Password Manager.
@@ -8417,6 +8927,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPasswordManagerLowestValueMostSecure
@@ -8426,8 +8939,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.0
+ This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.
@@ -8442,6 +8955,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPopupsLowestValueMostSecure
@@ -8451,13 +8967,13 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
+ 1Allow search engine customization for MDM enrolled devices. Users can change their default search engine.
If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
If this setting is disabled, users will be unable to add search engines or change the default used in the address bar.
This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
- 1
@@ -8471,6 +8987,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchEngineCustomizationLowestValueMostSecure
@@ -8480,8 +8999,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.1
+ This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.
@@ -8495,6 +9014,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchSuggestionsinAddressBarLowestValueMostSecure
@@ -8504,8 +9026,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether to turn on Windows Defender SmartScreen.1
+ This setting lets you decide whether to turn on Windows Defender SmartScreen.
@@ -8519,6 +9041,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSmartScreenLowestValueMostSecure
@@ -8528,8 +9053,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.0
+ Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
@@ -8543,6 +9068,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AlwaysEnableBooksLibraryLowestValueMostSecure
@@ -8552,8 +9080,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether to always clear browsing history on exiting Microsoft Edge.0
+ Specifies whether to always clear browsing history on exiting Microsoft Edge.
@@ -8568,6 +9096,9 @@ This policy will only apply on domain joined machines or when the device is MDM
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowClearingBrowsingDataOnExitLowestValueMostSecure
@@ -8577,6 +9108,7 @@ This policy will only apply on domain joined machines or when the device is MDM
+ Allows you to add up to 5 additional search engines for MDM-enrolled devices.
If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default.
@@ -8584,7 +9116,6 @@ If this setting is turned on, you can add up to 5 additional search engines for
If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -8597,6 +9128,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ ConfigureAdditionalSearchEngines_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfigureAdditionalSearchEnginesLastWrite
@@ -8606,13 +9141,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect.
Note: This policy has no effect when Browser/HomePages is not configured.
Important
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
- 0
@@ -8627,6 +9162,36 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ DisableLockdownOfStartPages
+ LowestValueMostSecure
+
+
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+ 0
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnableExtendedBooksTelemetryLowestValueMostSecure
@@ -8636,8 +9201,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
+ This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
@@ -8651,6 +9216,10 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
text/plainphone
+ MicrosoftEdge.admx
+ EnterSiteListPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnterpriseModeSiteListLastWrite
@@ -8660,8 +9229,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
-
+
@@ -8684,8 +9253,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- Configure first run URL.
+ Configure first run URL.
@@ -8708,13 +9277,13 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+ Configure the Start page URLs for your employees.
Example:
If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
Encapsulate each string with greater than and less than characters like any other XML tag.
Version 1703 or later: If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
-
@@ -8728,6 +9297,10 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
text/plainphone
+ MicrosoftEdge.admx
+ HomePagesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HomePagesLastWrite
@@ -8737,6 +9310,7 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
+ 0This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
@@ -8745,7 +9319,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
- 0
@@ -8759,6 +9332,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ LockdownFavoritesLowestValueMostSecure
@@ -8768,8 +9344,8 @@ If you disable or don't configure this setting (default), employees can add, imp
- Prevent access to the about:flags page in Microsoft Edge.0
+ Prevent access to the about:flags page in Microsoft Edge.
@@ -8783,6 +9359,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventAccessToAboutFlagsInMicrosoftEdgeHighestValueMostSecure
@@ -8792,10 +9371,10 @@ If you disable or don't configure this setting (default), employees can add, imp
+ 0Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -8810,6 +9389,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventFirstRunPageHighestValueMostSecure
@@ -8819,10 +9401,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -8836,6 +9418,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventLiveTileDataCollectionHighestValueMostSecure
@@ -8845,8 +9430,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides0
+ Don't allow Windows Defender SmartScreen warning overrides
@@ -8860,6 +9445,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideHighestValueMostSecure
@@ -8869,8 +9457,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides for unverified files.0
+ Don't allow Windows Defender SmartScreen warning overrides for unverified files.
@@ -8884,6 +9472,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideForFiles
+ HighestValueMostSecure
+
+
+
+ PreventTabPreloading
+
+
+
+
+ 0
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventTabPreloadingHighestValueMostSecure
@@ -8893,8 +9512,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Prevent using localhost IP address for WebRTC0
+ Prevent using localhost IP address for WebRTC
@@ -8908,6 +9527,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HideLocalHostIPAddressHighestValueMostSecure
@@ -8917,6 +9539,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
@@ -8925,7 +9548,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
-
@@ -8938,6 +9560,10 @@ If you disable or don't configure this setting, employees will see the favorites
text/plain
+ MicrosoftEdge.admx
+ ConfiguredFavoritesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfiguredFavoritesLastWrite
@@ -8947,8 +9573,8 @@ If you disable or don't configure this setting, employees will see the favorites
- Sends all intranet traffic over to Internet Explorer.0
+ Sends all intranet traffic over to Internet Explorer.
@@ -8963,6 +9589,9 @@ If you disable or don't configure this setting, employees will see the favorites
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SendIntranetTraffictoInternetExplorerHighestValueMostSecure
@@ -8972,6 +9601,7 @@ If you disable or don't configure this setting, employees will see the favorites
+ Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine.
If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING.
@@ -8979,7 +9609,6 @@ If this setting is turned on, you are setting the default search engine that you
If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -8992,6 +9621,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ SetDefaultSearchEngine_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SetDefaultSearchEngineLastWrite
@@ -9001,8 +9634,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Show message when opening sites in Internet Explorer0
+ Show message when opening sites in Internet Explorer
@@ -9017,6 +9650,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ShowMessageWhenOpeningSitesInInternetExplorerHighestValueMostSecure
@@ -9026,8 +9662,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.0
+ Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
@@ -9042,6 +9678,36 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SyncFavoritesBetweenIEAndMicrosoftEdge
+ LowestValueMostSecure
+
+
+
+ UseSharedFolderForBooks
+
+
+
+
+ 0
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ UseSharedFolderForBooksLowestValueMostSecure
@@ -9071,8 +9737,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9118,8 +9784,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9140,6 +9806,55 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ Display
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Display.admx
+ DisplayGlobalPerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LowestValueMostSecure
+
+
+ Education
@@ -9165,8 +9880,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy sets user's default printer
+ This policy sets user's default printer
@@ -9188,8 +9903,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Boolean that specifies whether or not to prevent user to install new printers0
+ Boolean that specifies whether or not to prevent user to install new printers
@@ -9203,6 +9918,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ Printing.admx
+ Printing~AT~ControlPanel~CplPrinters
+ NoAddPrinterHighestValueMostSecure
@@ -9212,8 +9930,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy provisions per-user network printers
+ This policy provisions per-user network printers
@@ -9255,8 +9973,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy provisions per-user discovery end point to discover cloud printers
+ This policy provisions per-user discovery end point to discover cloud printers
@@ -9278,8 +9996,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Authentication endpoint for acquiring OAuth tokens
+ Authentication endpoint for acquiring OAuth tokens
@@ -9301,8 +10019,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority
+ A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority
@@ -9324,8 +10042,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication
+ Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication
@@ -9347,8 +10065,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Defines the maximum number of printers that should be queried from discovery end point20
+ Defines the maximum number of printers that should be queried from discovery end point
@@ -9361,6 +10079,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LastWrite
@@ -9370,8 +10089,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication
+ Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication
@@ -9413,8 +10132,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9428,6 +10147,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableTailoredExperiencesWithDiagnosticDataLowestValueMostSecure
@@ -9437,33 +10159,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- phone
- LowestValueMostSecure
-
-
-
- AllowWindowsConsumerFeatures
-
-
-
-
- 0
@@ -9478,6 +10175,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableThirdPartySuggestionsLowestValueMostSecure
@@ -9487,8 +10187,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9503,6 +10203,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightFeaturesLowestValueMostSecure
@@ -9512,8 +10215,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9527,6 +10230,36 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightOnActionCenter
+ LowestValueMostSecure
+
+
+
+ AllowWindowsSpotlightOnSettings
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightOnSettingsLowestValueMostSecure
@@ -9536,8 +10269,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9551,6 +10284,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightWindowsWelcomeExperienceLowestValueMostSecure
@@ -9560,8 +10296,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9574,7 +10310,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ ConfigureWindowsSpotlightLowestValueMostSecure
@@ -9604,8 +10344,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9631,8 +10371,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9658,8 +10398,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9685,8 +10425,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9712,8 +10452,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9739,8 +10479,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9766,8 +10506,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9793,8 +10533,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9820,8 +10560,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9847,8 +10587,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9874,8 +10614,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9901,8 +10641,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9928,8 +10668,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9955,8 +10695,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9982,8 +10722,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10009,8 +10749,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10036,8 +10776,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10063,8 +10803,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10090,8 +10830,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10117,8 +10857,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10144,8 +10884,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10171,8 +10911,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10198,8 +10938,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10225,8 +10965,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10252,8 +10992,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10279,8 +11019,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10306,8 +11046,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10333,8 +11073,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10349,8 +11089,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction
- IESF_PolicyExplorerProcesses_2
+ inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling
+ IESF_PolicyExplorerProcesses_5LastWrite
@@ -10360,8 +11100,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10387,8 +11127,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10414,8 +11154,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10441,8 +11181,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10468,8 +11208,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10495,8 +11235,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10522,8 +11262,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10549,8 +11289,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10576,8 +11316,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10603,8 +11343,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10630,8 +11370,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10657,8 +11397,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10684,8 +11424,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10711,8 +11451,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10738,8 +11478,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10765,8 +11505,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10792,8 +11532,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10819,8 +11559,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10846,8 +11586,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10873,8 +11613,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10900,8 +11640,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10927,8 +11667,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10954,8 +11694,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10981,8 +11721,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11008,8 +11748,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11035,8 +11775,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11062,8 +11802,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11089,8 +11829,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11116,8 +11856,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11143,8 +11883,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11170,8 +11910,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11197,8 +11937,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11224,8 +11964,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11251,8 +11991,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11278,8 +12018,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11305,8 +12045,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11332,8 +12072,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11359,8 +12099,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11386,8 +12126,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11413,8 +12153,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11440,8 +12180,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11461,14 +12201,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LastWrite
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyAllowVBScript_1
+ LastWrite
+
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -11494,8 +12261,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11521,8 +12288,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11548,8 +12315,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11575,8 +12342,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11602,8 +12369,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11629,8 +12396,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11656,8 +12423,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11683,8 +12450,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11710,8 +12477,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11737,8 +12504,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11764,8 +12531,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11791,8 +12558,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11818,8 +12585,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11845,8 +12612,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11872,8 +12639,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11899,8 +12666,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11926,8 +12693,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11953,8 +12720,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11980,8 +12747,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12007,8 +12774,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12034,8 +12801,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12061,8 +12828,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12088,8 +12855,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12115,8 +12882,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12142,8 +12909,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12169,8 +12936,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12196,8 +12963,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12223,8 +12990,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12250,8 +13017,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12277,8 +13044,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12304,8 +13071,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12331,8 +13098,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12358,8 +13125,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12385,8 +13152,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12412,8 +13179,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12439,8 +13206,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12466,8 +13233,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12493,8 +13260,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12520,8 +13287,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12547,8 +13314,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12574,8 +13341,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12601,8 +13368,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12628,8 +13395,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12655,8 +13422,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12682,8 +13449,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12709,8 +13476,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12736,8 +13503,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12763,8 +13530,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12790,8 +13557,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12817,8 +13584,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12844,8 +13611,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12871,8 +13638,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12898,8 +13665,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12925,8 +13692,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12946,14 +13713,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LastWrite
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown
+ IZ_PolicyJavaPermissions_4
+ LastWrite
+
+ LockedDownIntranetZoneAllowAccessToDataSources
-
+
@@ -12979,8 +13773,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13006,8 +13800,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13033,8 +13827,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13060,8 +13854,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13087,8 +13881,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13114,8 +13908,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13141,8 +13935,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13168,8 +13962,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13195,8 +13989,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13222,8 +14016,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13249,8 +14043,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13276,8 +14070,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13303,8 +14097,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13330,8 +14124,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13357,8 +14151,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13384,8 +14178,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13411,8 +14205,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13438,8 +14232,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13465,8 +14259,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13492,8 +14286,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13519,8 +14313,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13546,8 +14340,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13573,8 +14367,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13600,8 +14394,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13627,8 +14421,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13654,8 +14448,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13681,8 +14475,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13708,8 +14502,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13735,8 +14529,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13762,8 +14556,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13789,8 +14583,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13816,8 +14610,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13843,8 +14637,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13870,8 +14664,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13897,8 +14691,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13924,8 +14718,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13951,8 +14745,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13978,8 +14772,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14005,8 +14799,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14032,8 +14826,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14059,8 +14853,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14086,8 +14880,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14113,8 +14907,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14140,8 +14934,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14167,8 +14961,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14194,8 +14988,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14221,8 +15015,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14248,8 +15042,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14275,8 +15069,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14302,8 +15096,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14329,8 +15123,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14356,8 +15150,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14383,8 +15177,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14410,8 +15204,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14437,8 +15231,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14464,8 +15258,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14491,8 +15285,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14518,8 +15312,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14545,8 +15339,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14572,8 +15366,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14599,8 +15393,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14626,8 +15420,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14653,8 +15447,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14680,8 +15474,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14707,8 +15501,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14734,8 +15528,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14761,8 +15555,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14788,8 +15582,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14815,8 +15609,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14842,8 +15636,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14869,8 +15663,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14896,8 +15690,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14923,8 +15717,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14950,8 +15744,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14977,8 +15771,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14998,14 +15792,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LastWrite
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyAllowVBScript_7
+ LastWrite
+
+ RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -15031,8 +15852,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15058,8 +15879,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15085,8 +15906,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15112,8 +15933,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15139,8 +15960,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15166,8 +15987,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15193,8 +16014,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15220,8 +16041,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15247,8 +16068,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15274,8 +16095,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15301,8 +16122,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15328,8 +16149,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15355,8 +16176,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15382,8 +16203,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15409,8 +16230,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15436,8 +16257,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15463,8 +16284,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15490,8 +16311,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15517,8 +16338,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15544,8 +16365,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15571,8 +16392,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15598,8 +16419,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15625,8 +16446,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15652,8 +16473,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15679,8 +16500,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15706,8 +16527,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15733,8 +16554,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15760,8 +16581,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15787,8 +16608,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15814,8 +16635,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15841,8 +16662,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15868,8 +16689,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15895,8 +16716,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15922,8 +16743,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15949,8 +16770,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15976,8 +16797,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15998,6 +16819,173 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ BlockedUrls
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ DefaultURL
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ EnableHomeButton
+
+
+
+
+ 0
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ EnableNavigationButtons
+
+
+
+
+ 0
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ RestartOnIdleTime
+
+
+
+
+ 0
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+ Notifications
@@ -16023,8 +17011,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -16038,6 +17026,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ WPN.admx
+ WPN~AT~StartMenu~NotificationsCategory
+ NoNotificationMirroringLowestValueMostSecure
@@ -16067,8 +17058,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16114,8 +17105,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -16128,6 +17119,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ Taskbar.admx
+ Taskbar~AT~StartMenu~TPMCategory
+ ConfigureTaskbarCalendarLastWrite
@@ -16152,13 +17147,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- HidePeopleBar
+ DisableContextMenus
- Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.0
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
@@ -16173,6 +17168,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ DisableContextMenusInStart
+ LowestValueMostSecure
+
+
+
+ HidePeopleBar
+
+
+
+
+ 0
+ Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ HidePeopleBarLowestValueMostSecure
@@ -16182,8 +17208,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16197,6 +17223,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ LockedStartLayoutLastWrite
@@ -16226,8 +17255,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 3
+
@@ -16240,10 +17269,62 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ DataCollection.admx
+ AllowTelemetry
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ AllowTelemetryLowestValueMostSecure
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ PowerShellExecutionPolicy.admx
+ PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell
+ EnableScriptBlockLogging
+ LastWrite
+
+
+
@@ -16263,7 +17344,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- com.microsoft/6.0/MDM/Policy
+ com.microsoft/7.0/MDM/Policy
@@ -16271,8 +17352,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Policy CSP ConfigOperations
@@ -16293,8 +17374,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Win32 App ADMX Ingestion
@@ -16315,8 +17396,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Win32 App Name
@@ -16337,8 +17418,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Setting Type of Win32 App. Policy Or Preference
@@ -16359,8 +17440,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Unique ID of ADMX file
@@ -16386,8 +17467,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16407,8 +17488,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16501,8 +17582,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16619,8 +17700,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16665,8 +17746,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16705,14 +17786,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ EnableAppUriHandlers
+
+
+
+
+
+
+
+ Enables web-to-app linking, which allows apps to be launched with a http(s) URI
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ ApplicationManagement
-
+
@@ -16968,13 +18073,59 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AppRuntime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowMicrosoftAccountsToBeOptional
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ AppVirtualization
-
+
@@ -17667,8 +18818,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -17731,30 +18882,6 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
- AllowFidoDeviceSignon
-
-
-
-
-
-
-
- Specifies whether FIDO device can be used to sign on.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- AllowSecondaryAuthenticationDevice
@@ -17785,8 +18912,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -17879,8 +19006,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -17925,8 +19052,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -18013,6 +19140,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowPromptedProximalConnections
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LocalDeviceName
@@ -18067,8 +19218,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -18155,6 +19306,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowConfigurationUpdateForBooksLibrary
+
+
+
+
+
+
+
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowCookies
@@ -18583,6 +19758,30 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+
+
+
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ EnterpriseModeSiteList
@@ -18839,6 +20038,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ PreventTabPreloading
+
+
+
+
+
+
+
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventUsingLocalHostIPAddressForWebRTC
@@ -18996,14 +20219,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ UseSharedFolderForBooks
+
+
+
+
+
+
+
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Camera
-
+
@@ -19048,8 +20295,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19121,7 +20368,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -19145,7 +20392,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -19190,8 +20437,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19326,6 +20573,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowPhonePCLinking
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowUSBConnection
@@ -19544,12 +20815,56 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- CredentialProviders
+ ControlPolicyConflict
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MDMWinsOverGP
+
+
+
+
+
+
+ If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ CredentialProviders
+
+
+
+
@@ -19637,13 +20952,59 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ CredentialsDelegation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteHostAllowsDelegationOfNonExportableCredentials
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ CredentialsUI
-
+
@@ -19712,8 +21073,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19782,8 +21143,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19852,8 +21213,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19922,8 +21283,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -20784,8 +22145,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -20849,7 +22210,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- DOCacheHost
+ DODelayBackgroundDownloadFromHttp
@@ -20859,7 +22220,31 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DODelayForegroundDownloadFromHttp
+
+
+
+
+
+
+
+
+
+
@@ -20920,6 +22305,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DOGroupIdSource
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DOMaxCacheAge
@@ -21184,6 +22593,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DOPercentageMaxBackgroundBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DOPercentageMaxDownloadBandwidth
@@ -21208,14 +22641,110 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DOPercentageMaxForegroundBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DORestrictPeerSelectionBy
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DOSetHoursToLimitBackgroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DOSetHoursToLimitForegroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeviceGuard
-
+
@@ -21308,8 +22837,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -21378,8 +22907,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -21758,6 +23287,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ PreventEnablingLockScreenCamera
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventLockScreenSlideShow
@@ -21812,8 +23365,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -21828,6 +23381,78 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ DisablePerProcessDpiForApps
+
+
+
+
+
+
+
+ This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnablePerProcessDpiForApps
+
+
+
+
+
+
+
+ This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TurnOffGdiDPIScalingForApps
@@ -21882,8 +23507,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22024,8 +23649,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22142,8 +23767,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22446,6 +24071,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ AllowWindowsConsumerFeatures
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowWindowsTips
@@ -22500,8 +24149,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22541,13 +24190,83 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ FileExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOffDataExecutionPreventionForExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TurnOffHeapTerminationOnCorruption
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Games
-
+
@@ -22592,8 +24311,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22638,8 +24357,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -24358,6 +26077,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -25678,6 +27421,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LockedDownIntranetZoneAllowAccessToDataSources
@@ -27502,6 +29269,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -28055,7 +29846,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- SecurityZonesUseOnlyMachineSettings
+ SecurityZonesUseOnlyMachineSettings
@@ -28420,8 +30211,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -28557,13 +30348,179 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BlockedUrls
+
+
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DefaultURL
+
+
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableHomeButton
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableNavigationButtons
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RestartOnIdleTime
+
+
+
+
+
+
+
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Licensing
-
+
@@ -28632,8 +30589,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -28958,6 +30915,225 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
+
+ DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+
+
+
+
+
+
+
+ Domain member: Digitally encrypt or sign secure channel data (always)
+
+This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
+
+Domain member: Digitally encrypt secure channel data (when possible)
+Domain member: Digitally sign secure channel data (when possible)
+
+Default: Enabled.
+
+Notes:
+
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+
+
+
+
+
+
+
+ Domain member: Digitally encrypt secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
+
+Default: Enabled.
+
+Important
+
+There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_DigitallySignSecureChannelDataWhenPossible
+
+
+
+
+
+
+
+ Domain member: Digitally sign secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
+
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_DisableMachineAccountPasswordChanges
+
+
+
+
+
+
+
+ Domain member: Disable machine account password changes
+
+Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
+
+Default: Disabled.
+
+Notes
+
+This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
+This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_MaximumMachineAccountPasswordAge
+
+
+
+
+
+
+
+ Domain member: Maximum machine account password age
+
+This security setting determines how often a domain member will attempt to change its computer account password.
+
+Default: 30 days.
+
+Important
+
+This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_RequireStrongSessionKey
+
+
+
+
+
+
+
+ Domain member: Require strong (Windows 2000 or later) session key
+
+This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on.
+
+Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:
+
+Domain member: Digitally encrypt or sign secure channel data (always)
+Domain member: Digitally encrypt secure channel data (when possible)
+Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.
+
+If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.
+
+Default: Enabled.
+
+Important
+
+In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
+In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
@@ -29164,6 +31340,404 @@ Default: No message.
+
+ InteractiveLogon_SmartCardRemovalBehavior
+
+
+
+
+
+
+
+ Interactive logon: Smart card removal behavior
+
+This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
+
+The options are:
+
+ No Action
+ Lock Workstation
+ Force Logoff
+ Disconnect if a Remote Desktop Services session
+
+If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
+
+If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.
+
+If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
+
+Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+Default: This policy is not defined, which means that the system treats it as No action.
+
+On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkClient_DigitallySignCommunicationsAlways
+
+
+
+
+
+
+
+ Microsoft network client: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB client component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
+
+If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
+
+Default: Disabled.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
+
+
+
+
+
+
+
+ Microsoft network client: Digitally sign communications (if server agrees)
+
+This security setting determines whether the SMB client attempts to negotiate SMB packet signing.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.
+
+If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
+
+
+
+
+
+
+
+ Microsoft network client: Send unencrypted password to connect to third-party SMB servers
+
+If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
+
+Sending unencrypted passwords is a security risk.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
+
+
+
+
+
+
+ Microsoft network server: Amount of idle time required before suspending a session
+
+This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
+
+Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
+
+For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
+
+Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsAlways
+
+
+
+
+
+
+
+ Microsoft network server: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB server component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
+
+If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
+
+Default:
+
+Disabled for member servers.
+Enabled for domain controllers.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy:
+Microsoft network server: Digitally sign communications (if server agrees)
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server:
+HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
+
+
+
+
+
+
+
+ Microsoft network server: Digitally sign communications (if client agrees)
+
+This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.
+
+If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled on domain controllers only.
+
+Important
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
+
+
+
+
+
+
+
+ Network access: Do not allow anonymous enumeration of SAM accounts
+
+This security setting determines what additional permissions will be granted for anonymous connections to the computer.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
+
+This security option allows additional restrictions to be placed on anonymous connections as follows:
+
+Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
+Disabled: No additional restrictions. Rely on default permissions.
+
+Default on workstations: Enabled.
+Default on server:Enabled.
+
+Important
+
+This policy has no impact on domain controllers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
+
+
+
+
+
+
+
+ Network access: Do not allow anonymous enumeration of SAM accounts and shares
+
+This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
+
+
+
+
+
+
+
+ Network access: Restrict anonymous access to Named Pipes and Shares
+
+When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
+
+Network access: Named pipes that can be accessed anonymously
+Network access: Shares that can be accessed anonymously
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
@@ -29220,6 +31794,161 @@ This policy will be turned off by default on domain joined machines. This would
+
+ NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
+
+
+
+
+
+
+
+ Network security: Do not store LAN Manager hash value on next password change
+
+This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
+
+
+Default on Windows Vista and above: Enabled
+Default on Windows XP: Disabled.
+
+Important
+
+Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_LANManagerAuthenticationLevel
+
+
+
+
+
+
+
+ Network security LAN Manager authentication level
+
+This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
+
+Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
+
+Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
+
+Important
+
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM.
+
+Default:
+
+Windows 2000 and windows XP: send LM and NTLM responses
+
+Windows Server 2003: Send NTLM response only
+
+Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
+
+
+
+
+
+
+
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+
+This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
+Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
+
+
+
+
+
+
+
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+
+This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
+Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
@@ -29624,8 +32353,8 @@ The options are:
-
+
@@ -29670,8 +32399,8 @@ The options are:
-
+
@@ -29716,8 +32445,8 @@ The options are:
-
+
@@ -29786,8 +32515,8 @@ The options are:
-
+
@@ -29875,13 +32604,273 @@ The options are:
+
+ MSSecurityGuide
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyUACRestrictionsToLocalAccountsOnNetworkLogon
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureSMBV1ClientDriver
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureSMBV1Server
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableStructuredExceptionHandlingOverwriteProtection
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ WDigestAuthentication
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ MSSLegacy
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IPSourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IPv6SourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ NetworkIsolation
-
+
@@ -30090,12 +33079,12 @@ The options are:
- Power
+ Notifications
-
+
@@ -30110,6 +33099,76 @@ The options are:
+
+ DisallowCloudNotification
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ Power
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowStandbyStatesWhenSleepingOnBattery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowStandbyWhenSleepingPluggedIn
@@ -30332,8 +33391,8 @@ The options are:
-
+
@@ -30402,8 +33461,8 @@ The options are:
-
+
@@ -30835,7 +33894,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -30859,7 +33918,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -30883,7 +33942,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -30931,7 +33990,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -30955,7 +34014,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -30979,7 +34038,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -31027,7 +34086,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31051,7 +34110,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31075,7 +34134,103 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput
+
+
+
+
+
+
+
+ This policy setting specifies whether Windows apps can access the eye tracker.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput_ForceAllowTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput_ForceDenyTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput_UserInControlOfTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
@@ -31123,7 +34278,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31147,7 +34302,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31171,7 +34326,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31219,7 +34374,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31243,7 +34398,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31267,7 +34422,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31315,7 +34470,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -31339,7 +34494,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -31363,7 +34518,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -31411,7 +34566,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -31435,7 +34590,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -31459,7 +34614,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -31507,7 +34662,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -31531,7 +34686,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -31555,7 +34710,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -31603,7 +34758,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -31627,7 +34782,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -31651,7 +34806,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -31699,7 +34854,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -31723,7 +34878,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -31747,7 +34902,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -31795,7 +34950,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -31819,7 +34974,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -31843,7 +34998,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -31891,7 +35046,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -31915,7 +35070,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -31939,7 +35094,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -32179,7 +35334,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32203,7 +35358,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32227,7 +35382,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32266,14 +35421,38 @@ The options are:
+
+ UploadUserActivities
+
+
+
+
+
+
+
+ Allows ActivityFeed to upload published 'User Activities'.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ RemoteAssistance
-
+
@@ -32390,8 +35569,8 @@ The options are:
-
+
@@ -32556,8 +35735,8 @@ The options are:
-
+
@@ -32938,8 +36117,8 @@ The options are:
-
+
@@ -33008,8 +36187,8 @@ The options are:
-
+
@@ -33193,13 +36372,60 @@ The options are:
+
+ RestrictedGroups
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConfigureGroupMembership
+
+
+
+
+
+
+
+ This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
+Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Search
-
+
@@ -33238,6 +36464,30 @@ The options are:
+
+ AllowCortanaInAAD
+
+
+
+
+
+
+
+ This features allows you to show the cortana opt-in page during Windows Setup
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowIndexingEncryptedStoresOrItems
@@ -33430,6 +36680,30 @@ The options are:
+
+ DoNotUseWebResults
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventIndexingLowDiskSpaceMB
@@ -33508,8 +36782,8 @@ The options are:
-
+
@@ -33644,6 +36918,30 @@ The options are:
+
+ ConfigureWindowsPasswords
+
+
+
+
+
+
+
+ Configures the use of passwords for Windows features
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
@@ -33746,8 +37044,8 @@ The options are:
-
+
@@ -34080,8 +37378,8 @@ The options are:
-
+
@@ -34174,8 +37472,8 @@ The options are:
-
+
@@ -34220,8 +37518,8 @@ The options are:
-
+
@@ -34476,6 +37774,30 @@ The options are:
+
+ DisableContextMenus
+
+
+
+
+
+
+
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ ForceStartSize
@@ -34914,8 +38236,8 @@ The options are:
-
+
@@ -34984,8 +38306,8 @@ The options are:
-
+
@@ -35216,6 +38538,54 @@ The options are:
+
+ ConfigureTelemetryOptInChangeNotification
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureTelemetryOptInSettingsUx
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DisableEnterpriseAuthProxy
@@ -35249,7 +38619,7 @@ The options are:
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
@@ -35321,7 +38691,7 @@ The options are:
- This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced) When you configure these policy settings, a Basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: https://go.microsoft.com/fwlink/?linkid=847594. Enabling Enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional Enhanced level telemetry data. This setting has no effect on computers configured to send Full, Basic or Security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy.
+ This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting.
@@ -35362,12 +38732,12 @@ The options are:
- TextInput
+ SystemServices
-
+
@@ -35382,6 +38752,242 @@ The options are:
+
+ ConfigureHomeGroupListenerServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureHomeGroupProviderServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxAccessoryManagementServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxLiveAuthManagerServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxLiveGameSaveServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxLiveNetworkingServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ TaskScheduler
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableXboxGameSaveTask
+
+
+
+
+
+
+
+ This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ TextInput
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowHardwareKeyboardTextSuggestions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowIMELogging
@@ -35598,6 +39204,54 @@ The options are:
+
+ AllowLinguisticDataCollection
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableTouchKeyboardAutoInvokeInDesktopMode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ ExcludeJapaneseIMEExceptJIS0208
@@ -35670,14 +39324,206 @@ The options are:
+
+ ForceTouchKeyboardDockedState
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardDictationButtonAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardEmojiButtonAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardFullModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardHandwritingModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardNarrowModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardSplitModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardWideModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TimeLanguageSettings
-
+
@@ -35722,8 +39568,8 @@ The options are:
-
+
@@ -36026,6 +39872,30 @@ The options are:
+
+ ConfigureFeatureUpdateUninstallPeriod
+
+
+
+
+
+
+
+ Enable enterprises/IT admin to configure feature update uninstall period
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeferFeatureUpdatesPeriodInDays
@@ -36867,13 +40737,735 @@ The options are:
+
+ UserRights
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AccessCredentialManagerAsTrustedCaller
+
+
+
+
+
+
+
+ This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AccessFromNetwork
+
+
+
+
+
+
+
+ This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ActAsPartOfTheOperatingSystem
+
+
+
+
+
+
+
+ This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowLocalLogOn
+
+
+
+
+
+
+
+ This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BackupFilesAndDirectories
+
+
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ChangeSystemTime
+
+
+
+
+
+
+
+ This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreateGlobalObjects
+
+
+
+
+
+
+
+ This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreatePageFile
+
+
+
+
+
+
+
+ This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreatePermanentSharedObjects
+
+
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreateSymbolicLinks
+
+
+
+
+
+
+
+ This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreateToken
+
+
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DebugPrograms
+
+
+
+
+
+
+
+ This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DenyAccessFromNetwork
+
+
+
+
+
+
+
+ This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DenyLocalLogOn
+
+
+
+
+
+
+
+ This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DenyRemoteDesktopServicesLogOn
+
+
+
+
+
+
+
+ This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableDelegation
+
+
+
+
+
+
+
+ This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ GenerateSecurityAudits
+
+
+
+
+
+
+
+ This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ImpersonateClient
+
+
+
+
+
+
+
+ Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+1) The access token that is being impersonated is for this user.
+2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
+3) The requested level is less than Impersonate, such as Anonymous or Identify.
+Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IncreaseSchedulingPriority
+
+
+
+
+
+
+
+ This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LoadUnloadDeviceDrivers
+
+
+
+
+
+
+
+ This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LockMemory
+
+
+
+
+
+
+
+ This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ManageAuditingAndSecurityLog
+
+
+
+
+
+
+
+ This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ManageVolume
+
+
+
+
+
+
+
+ This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ModifyFirmwareEnvironment
+
+
+
+
+
+
+
+ This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ModifyObjectLabel
+
+
+
+
+
+
+
+ This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ProfileSingleProcess
+
+
+
+
+
+
+
+ This user right determines which users can use performance monitoring tools to monitor the performance of system processes.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RemoteShutdown
+
+
+
+
+
+
+
+ This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RestoreFilesAndDirectories
+
+
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TakeOwnership
+
+
+
+
+
+
+
+ This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Wifi
-
+
@@ -37033,13 +41625,59 @@ The options are:
+
+ WindowsConnectionManager
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ WindowsDefenderSecurityCenter
-
+
@@ -37078,6 +41716,30 @@ The options are:
+
+ DisableAccountProtectionUI
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DisableAppBrowserUI
@@ -37102,6 +41764,30 @@ The options are:
+
+ DisableDeviceSecurityUI
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DisableEnhancedNotifications
@@ -37342,6 +42028,78 @@ The options are:
+
+ HideRansomwareDataRecovery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ HideSecureBoot
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ HideTPMTroubleshooting
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Phone
@@ -37396,8 +42154,8 @@ The options are:
-
+
@@ -37466,8 +42224,8 @@ The options are:
-
+
@@ -37530,6 +42288,30 @@ The options are:
+
+ EnumerateLocalUsersOnDomainJoinedComputers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HideFastUserSwitching
@@ -37554,14 +42336,84 @@ The options are:
+
+ SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ WirelessDisplay
-
+
@@ -37824,8 +42676,8 @@ The options are:
- 1
+
@@ -37849,8 +42701,8 @@ The options are:
- 1
+
@@ -37864,6 +42716,9 @@ The options are:
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowCortanaAboveLockLowestValueMostSecure
@@ -37873,8 +42728,8 @@ The options are:
- 1
+
@@ -37917,8 +42772,8 @@ The options are:
- 1
+
@@ -37941,8 +42796,8 @@ The options are:
- 1
+
@@ -37965,8 +42820,8 @@ The options are:
- 1
+
@@ -37989,8 +42844,8 @@ The options are:
-
+
@@ -38032,8 +42887,8 @@ The options are:
-
+
@@ -38079,8 +42934,8 @@ The options are:
-
+
@@ -38094,9 +42949,40 @@ The options are:
text/plainphone
+ WindowsExplorer.admx
+ DefaultAssociationsConfiguration_TextBox
+ WindowsExplorer~AT~WindowsComponents~WindowsExplorer
+ DefaultAssociationsConfigurationLastWrite
+
+ EnableAppUriHandlers
+
+
+
+
+ 1
+ Enables web-to-app linking, which allows apps to be launched with a http(s) URI
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ GroupPolicy.admx
+ GroupPolicy~AT~System~PolicyPolicies
+ EnableAppUriHandlers
+ HighestValueMostSecure
+
+ ApplicationManagement
@@ -38123,8 +43009,8 @@ The options are:
- 65535
+
@@ -38138,6 +43024,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ AppxDeploymentAllowAllTrustedAppsLowestValueMostSecure
@@ -38147,8 +43036,8 @@ The options are:
- 2
+
@@ -38161,6 +43050,10 @@ The options are:
text/plain
+
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ DisableAutoInstallLowestValueMostSecure
@@ -38170,8 +43063,8 @@ The options are:
- 65535
+
@@ -38185,6 +43078,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ AllowDevelopmentWithoutDevLicenseLowestValueMostSecure
@@ -38194,8 +43090,8 @@ The options are:
- 1
+
@@ -38210,6 +43106,9 @@ The options are:
phone
+ GameDVR.admx
+ GameDVR~AT~WindowsComponents~GAMEDVR
+ AllowGameDVRLowestValueMostSecure
@@ -38219,8 +43118,8 @@ The options are:
- 0
+
@@ -38234,6 +43133,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ AllowSharedLocalAppDataLowestValueMostSecure
@@ -38243,8 +43145,8 @@ The options are:
- 1
+
@@ -38268,8 +43170,8 @@ The options are:
-
+
@@ -38292,8 +43194,8 @@ The options are:
- 0
+
@@ -38307,6 +43209,9 @@ The options are:
text/plain
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ DisableStoreAppsLowestValueMostSecure
@@ -38316,8 +43221,8 @@ The options are:
- 0
+
@@ -38331,6 +43236,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ RestrictAppDataToSystemVolumeLowestValueMostSecure
@@ -38340,8 +43248,8 @@ The options are:
- 0
+
@@ -38355,10 +43263,60 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ DisableDeploymentToNonSystemVolumesLowestValueMostSecure
+
+ AppRuntime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowMicrosoftAccountsToBeOptional
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ AppXRuntime.admx
+ AppXRuntime~AT~WindowsComponents~AppXRuntime
+ AppxRuntimeMicrosoftAccountsOptional
+ LastWrite
+
+
+ AppVirtualization
@@ -38384,8 +43342,8 @@ The options are:
-
+
@@ -38411,8 +43369,8 @@ The options are:
-
+
@@ -38438,8 +43396,8 @@ The options are:
-
+
@@ -38465,8 +43423,8 @@ The options are:
-
+
@@ -38492,8 +43450,8 @@ The options are:
-
+
@@ -38519,8 +43477,8 @@ The options are:
-
+
@@ -38546,8 +43504,8 @@ The options are:
-
+
@@ -38573,8 +43531,8 @@ The options are:
-
+
@@ -38600,8 +43558,8 @@ The options are:
-
+
@@ -38627,8 +43585,8 @@ The options are:
-
+
@@ -38654,8 +43612,8 @@ The options are:
-
+
@@ -38681,8 +43639,8 @@ The options are:
-
+
@@ -38708,8 +43666,8 @@ The options are:
-
+
@@ -38735,8 +43693,8 @@ The options are:
-
+
@@ -38762,8 +43720,8 @@ The options are:
-
+
@@ -38789,8 +43747,8 @@ The options are:
-
+
@@ -38816,8 +43774,8 @@ The options are:
-
+
@@ -38843,8 +43801,8 @@ The options are:
-
+
@@ -38870,8 +43828,8 @@ The options are:
-
+
@@ -38897,8 +43855,8 @@ The options are:
-
+
@@ -38924,8 +43882,8 @@ The options are:
-
+
@@ -38951,8 +43909,8 @@ The options are:
-
+
@@ -38978,8 +43936,8 @@ The options are:
-
+
@@ -39005,8 +43963,8 @@ The options are:
-
+
@@ -39032,8 +43990,8 @@ The options are:
-
+
@@ -39059,8 +44017,8 @@ The options are:
-
+
@@ -39086,8 +44044,8 @@ The options are:
-
+
@@ -39113,8 +44071,8 @@ The options are:
-
+
@@ -39160,8 +44118,8 @@ The options are:
- Specifies whether password reset is enabled for AAD accounts.0
+ Specifies whether password reset is enabled for AAD accounts.
@@ -39185,8 +44143,8 @@ The options are:
- 1
+
@@ -39203,39 +44161,14 @@ The options are:
LowestValueMostSecure
-
- AllowFidoDeviceSignon
-
-
-
-
- Specifies whether FIDO device can be used to sign on.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- phone
- LowestValueMostSecure
-
- AllowSecondaryAuthenticationDevice
- 0
+
@@ -39249,6 +44182,9 @@ The options are:
text/plain
+ DeviceCredential.admx
+ DeviceCredential~AT~WindowsComponents~MSSecondaryAuthFactorCategory
+ MSSecondaryAuthFactor_AllowSecondaryAuthenticationDeviceLowestValueMostSecure
@@ -39278,8 +44214,8 @@ The options are:
-
+
@@ -39305,8 +44241,8 @@ The options are:
-
+
@@ -39332,8 +44268,8 @@ The options are:
-
+
@@ -39379,8 +44315,8 @@ The options are:
- 6
+
@@ -39423,8 +44359,8 @@ The options are:
- 1
+
@@ -39447,8 +44383,8 @@ The options are:
- 1
+
@@ -39471,8 +44407,32 @@ The options are:
- 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LowestValueMostSecure
+
+
+
+ AllowPromptedProximalConnections
+
+
+
+
+ 1
+
@@ -39495,8 +44455,8 @@ The options are:
-
+
@@ -39518,8 +44478,8 @@ The options are:
-
+
@@ -39561,8 +44521,8 @@ The options are:
- This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.1
+ This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
@@ -39577,6 +44537,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAddressBarDropdownLowestValueMostSecure
@@ -39586,8 +44549,8 @@ The options are:
- This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.0
+ This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.
@@ -39601,6 +44564,9 @@ The options are:
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAutofillLowestValueMostSecure
@@ -39610,8 +44576,8 @@ The options are:
- 1
+
@@ -39630,13 +44596,13 @@ The options are:
- AllowCookies
+ AllowConfigurationUpdateForBooksLibrary
- This setting lets you configure how your company deals with cookies.
- 2
+ 1
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
@@ -39649,6 +44615,35 @@ The options are:
text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowCookies
+
+
+
+
+ 2
+ This setting lets you configure how your company deals with cookies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ CookiesListBox
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ CookiesLowestValueMostSecure
@@ -39658,8 +44653,8 @@ The options are:
- This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.1
+ This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.
@@ -39674,6 +44669,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDeveloperToolsLowestValueMostSecure
@@ -39683,8 +44681,8 @@ The options are:
- This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.0
+ This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.
@@ -39698,6 +44696,9 @@ The options are:
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDoNotTrackLowestValueMostSecure
@@ -39707,8 +44708,8 @@ The options are:
- This setting lets you decide whether employees can load extensions in Microsoft Edge.1
+ This setting lets you decide whether employees can load extensions in Microsoft Edge.
@@ -39723,6 +44724,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowExtensionsLowestValueMostSecure
@@ -39732,8 +44736,8 @@ The options are:
- This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.1
+ This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
@@ -39748,6 +44752,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashHighestValueMostSecure
@@ -39757,8 +44764,8 @@ The options are:
- Configure the Adobe Flash Click-to-Run setting.1
+ Configure the Adobe Flash Click-to-Run setting.
@@ -39773,6 +44780,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashClickToRunHighestValueMostSecure
@@ -39782,8 +44792,8 @@ The options are:
- This setting lets you decide whether employees can browse using InPrivate website browsing.1
+ This setting lets you decide whether employees can browse using InPrivate website browsing.
@@ -39797,6 +44807,9 @@ The options are:
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowInPrivateLowestValueMostSecure
@@ -39806,12 +44819,12 @@ The options are:
+ 1This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.
- 1
@@ -39825,6 +44838,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowCVListLowestValueMostSecure
@@ -39834,8 +44850,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether employees can save their passwords locally, using Password Manager.1
+ This setting lets you decide whether employees can save their passwords locally, using Password Manager.
@@ -39849,6 +44865,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPasswordManagerLowestValueMostSecure
@@ -39858,8 +44877,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.0
+ This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.
@@ -39874,6 +44893,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPopupsLowestValueMostSecure
@@ -39883,13 +44905,13 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
+ 1Allow search engine customization for MDM enrolled devices. Users can change their default search engine.
If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
If this setting is disabled, users will be unable to add search engines or change the default used in the address bar.
This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
- 1
@@ -39903,6 +44925,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchEngineCustomizationLowestValueMostSecure
@@ -39912,8 +44937,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.1
+ This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.
@@ -39927,6 +44952,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchSuggestionsinAddressBarLowestValueMostSecure
@@ -39936,8 +44964,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether to turn on Windows Defender SmartScreen.1
+ This setting lets you decide whether to turn on Windows Defender SmartScreen.
@@ -39951,6 +44979,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSmartScreenLowestValueMostSecure
@@ -39960,8 +44991,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.0
+ Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
@@ -39975,6 +45006,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AlwaysEnableBooksLibraryLowestValueMostSecure
@@ -39984,8 +45018,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether to always clear browsing history on exiting Microsoft Edge.0
+ Specifies whether to always clear browsing history on exiting Microsoft Edge.
@@ -40000,6 +45034,9 @@ This policy will only apply on domain joined machines or when the device is MDM
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowClearingBrowsingDataOnExitLowestValueMostSecure
@@ -40009,6 +45046,7 @@ This policy will only apply on domain joined machines or when the device is MDM
+ Allows you to add up to 5 additional search engines for MDM-enrolled devices.
If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default.
@@ -40016,7 +45054,6 @@ If this setting is turned on, you can add up to 5 additional search engines for
If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -40029,6 +45066,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ ConfigureAdditionalSearchEngines_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfigureAdditionalSearchEnginesLastWrite
@@ -40038,13 +45079,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect.
Note: This policy has no effect when Browser/HomePages is not configured.
Important
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
- 0
@@ -40059,6 +45100,36 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ DisableLockdownOfStartPages
+ LowestValueMostSecure
+
+
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+ 0
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnableExtendedBooksTelemetryLowestValueMostSecure
@@ -40068,8 +45139,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
+ This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
@@ -40083,6 +45154,10 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
text/plainphone
+ MicrosoftEdge.admx
+ EnterSiteListPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnterpriseModeSiteListLastWrite
@@ -40092,8 +45167,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
-
+
@@ -40116,8 +45191,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- Configure first run URL.
+ Configure first run URL.
@@ -40140,13 +45215,13 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+ Configure the Start page URLs for your employees.
Example:
If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
Encapsulate each string with greater than and less than characters like any other XML tag.
Version 1703 or later: If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
-
@@ -40160,6 +45235,10 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
text/plainphone
+ MicrosoftEdge.admx
+ HomePagesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HomePagesLastWrite
@@ -40169,6 +45248,7 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
+ 0This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
@@ -40177,7 +45257,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
- 0
@@ -40191,6 +45270,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ LockdownFavoritesLowestValueMostSecure
@@ -40200,8 +45282,8 @@ If you disable or don't configure this setting (default), employees can add, imp
- Prevent access to the about:flags page in Microsoft Edge.0
+ Prevent access to the about:flags page in Microsoft Edge.
@@ -40215,6 +45297,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventAccessToAboutFlagsInMicrosoftEdgeHighestValueMostSecure
@@ -40224,10 +45309,10 @@ If you disable or don't configure this setting (default), employees can add, imp
+ 0Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -40242,6 +45327,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventFirstRunPageHighestValueMostSecure
@@ -40251,10 +45339,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -40268,6 +45356,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventLiveTileDataCollectionHighestValueMostSecure
@@ -40277,8 +45368,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides0
+ Don't allow Windows Defender SmartScreen warning overrides
@@ -40292,6 +45383,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideHighestValueMostSecure
@@ -40301,8 +45395,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides for unverified files.0
+ Don't allow Windows Defender SmartScreen warning overrides for unverified files.
@@ -40316,6 +45410,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideForFiles
+ HighestValueMostSecure
+
+
+
+ PreventTabPreloading
+
+
+
+
+ 0
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventTabPreloadingHighestValueMostSecure
@@ -40325,8 +45450,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Prevent using localhost IP address for WebRTC0
+ Prevent using localhost IP address for WebRTC
@@ -40340,6 +45465,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HideLocalHostIPAddressHighestValueMostSecure
@@ -40349,6 +45477,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
@@ -40357,7 +45486,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
-
@@ -40370,6 +45498,10 @@ If you disable or don't configure this setting, employees will see the favorites
text/plain
+ MicrosoftEdge.admx
+ ConfiguredFavoritesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfiguredFavoritesLastWrite
@@ -40379,8 +45511,8 @@ If you disable or don't configure this setting, employees will see the favorites
- Sends all intranet traffic over to Internet Explorer.0
+ Sends all intranet traffic over to Internet Explorer.
@@ -40395,6 +45527,9 @@ If you disable or don't configure this setting, employees will see the favorites
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SendIntranetTraffictoInternetExplorerHighestValueMostSecure
@@ -40404,6 +45539,7 @@ If you disable or don't configure this setting, employees will see the favorites
+ Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine.
If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING.
@@ -40411,7 +45547,6 @@ If this setting is turned on, you are setting the default search engine that you
If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -40424,6 +45559,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ SetDefaultSearchEngine_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SetDefaultSearchEngineLastWrite
@@ -40433,8 +45572,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Show message when opening sites in Internet Explorer0
+ Show message when opening sites in Internet Explorer
@@ -40449,6 +45588,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ShowMessageWhenOpeningSitesInInternetExplorerHighestValueMostSecure
@@ -40458,8 +45600,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.0
+ Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
@@ -40474,6 +45616,36 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SyncFavoritesBetweenIEAndMicrosoftEdge
+ LowestValueMostSecure
+
+
+
+ UseSharedFolderForBooks
+
+
+
+
+ 0
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ UseSharedFolderForBooksLowestValueMostSecure
@@ -40503,8 +45675,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40518,6 +45690,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ Camera.admx
+ Camera~AT~WindowsComponents~L_Camera_GroupPolicyCategory
+ L_AllowCameraLowestValueMostSecure
@@ -40547,8 +45722,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy setting specifies whether Windows apps can access cellular data.0
+ This policy setting specifies whether Windows apps can access cellular data.
@@ -40561,6 +45736,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ wwansvc.admx
+ LetAppsAccessCellularData_Enum
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularDataHighestValueMostSecure
@@ -40570,8 +45750,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -40584,6 +45764,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ wwansvc.admx
+ LetAppsAccessCellularData_ForceAllowTheseApps_List
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularDataLastWrite;
@@ -40594,8 +45778,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -40608,6 +45792,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ wwansvc.admx
+ LetAppsAccessCellularData_ForceDenyTheseApps_List
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularDataLastWrite;
@@ -40618,8 +45806,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -40632,6 +45820,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ wwansvc.admx
+ LetAppsAccessCellularData_UserInControlOfTheseApps_List
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularDataLastWrite;
@@ -40642,8 +45834,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40688,8 +45880,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 2
+
@@ -40712,8 +45904,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40726,6 +45918,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -40735,8 +45928,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40749,6 +45942,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ WCM.admx
+ WCM~AT~Network~WCM_Category
+ WCM_DisableRoamingLowestValueMostSecure
@@ -40758,8 +45955,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40782,8 +45979,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40801,14 +45998,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LowestValueMostSecure
+
+ AllowPhonePCLinking
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ grouppolicy.admx
+ grouppolicy~AT~System~PolicyPolicies
+ enableMMX
+ LowestValueMostSecure
+
+ AllowUSBConnection
- 1
+
@@ -40832,8 +46056,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40856,8 +46080,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40880,8 +46104,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40907,8 +46131,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40934,8 +46158,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40961,8 +46185,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -40975,6 +46199,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ ICM.admx
+ ICM~AT~System~InternetManagement~InternetManagement_Settings
+ NoActiveProbeHighestValueMostSecure
@@ -40984,8 +46212,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41011,8 +46239,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41033,6 +46261,50 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ ControlPolicyConflict
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MDMWinsOverGP
+
+
+
+
+ 0
+ If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LastWrite
+
+
+ CredentialProviders
@@ -41058,8 +46330,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41085,8 +46357,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41112,8 +46384,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41131,6 +46403,53 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ CredentialsDelegation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteHostAllowsDelegationOfNonExportableCredentials
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ CredSsp.admx
+ CredSsp~AT~System~CredentialsDelegation
+ AllowProtectedCreds
+ LastWrite
+
+
+ CredentialsUI
@@ -41156,8 +46475,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41183,8 +46502,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41230,8 +46549,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41244,6 +46563,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ Windows Settings~Security Settings~Local Policies~Security Options
+ System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signingLastWrite
@@ -41253,8 +46575,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41296,8 +46618,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41320,8 +46642,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41363,8 +46685,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41389,8 +46711,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41435,8 +46757,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41449,7 +46771,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableArchiveScanningHighestValueMostSecure
@@ -41459,8 +46785,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41473,7 +46799,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_DisableBehaviorMonitoringHighestValueMostSecure
@@ -41483,8 +46813,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41497,7 +46827,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ SpynetReporting
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet
+ SpynetReportingHighestValueMostSecure
@@ -41507,8 +46842,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41521,7 +46856,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableEmailScanningHighestValueMostSecure
@@ -41531,8 +46870,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41545,7 +46884,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableScanningMappedNetworkDrivesForFullScanHighestValueMostSecure
@@ -41555,8 +46898,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41569,7 +46912,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableRemovableDriveScanningHighestValueMostSecure
@@ -41579,8 +46926,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41593,6 +46940,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phoneHighestValueMostSecure
@@ -41603,8 +46951,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41617,7 +46965,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_DisableIOAVProtectionHighestValueMostSecure
@@ -41627,8 +46979,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41641,7 +46993,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_DisableOnAccessProtectionHighestValueMostSecure
@@ -41651,8 +47007,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41665,7 +47021,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ DisableRealtimeMonitoringHighestValueMostSecure
@@ -41675,8 +47035,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41689,7 +47049,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableScanningNetworkFilesHighestValueMostSecure
@@ -41699,8 +47063,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41713,6 +47077,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phoneHighestValueMostSecure
@@ -41723,8 +47088,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41737,7 +47102,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ClientInterface
+ UX_Configuration_UILockdownLastWrite
@@ -41747,8 +47116,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41762,6 +47131,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ ExploitGuard_ASR_ASROnlyExclusions
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR
+ ExploitGuard_ASR_ASROnlyExclusionsLastWrite
@@ -41771,8 +47144,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41786,6 +47159,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ ExploitGuard_ASR_Rules
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR
+ ExploitGuard_ASR_RulesLastWrite
@@ -41795,8 +47172,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 50
+
@@ -41809,7 +47186,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_AvgCPULoadFactor
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_AvgCPULoadFactorLastWrite
@@ -41819,8 +47201,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41833,7 +47215,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ MpCloudBlockLevel
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine
+ MpEngine_MpCloudBlockLevelLastWrite
@@ -41843,8 +47230,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41857,7 +47244,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ MpBafsExtendedTimeout
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine
+ MpEngine_MpBafsExtendedTimeoutLastWrite
@@ -41867,8 +47259,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41882,6 +47274,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ ExploitGuard_ControlledFolderAccess_AllowedApplications
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess
+ ExploitGuard_ControlledFolderAccess_AllowedApplicationsLastWrite
@@ -41891,8 +47287,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41906,6 +47302,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ ExploitGuard_ControlledFolderAccess_ProtectedFolders
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess
+ ExploitGuard_ControlledFolderAccess_ProtectedFoldersLastWrite
@@ -41915,8 +47315,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41929,7 +47329,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Quarantine_PurgeItemsAfterDelay
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Quarantine
+ Quarantine_PurgeItemsAfterDelayLastWrite
@@ -41939,8 +47344,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41953,7 +47358,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess
+ ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccessLastWrite
@@ -41963,8 +47373,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41977,7 +47387,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ ExploitGuard_EnableNetworkProtection
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_NetworkProtection
+ ExploitGuard_EnableNetworkProtectionLastWrite
@@ -41987,8 +47402,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42002,6 +47417,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ Exclusions_PathsList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions
+ Exclusions_PathsLastWrite
@@ -42011,8 +47430,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42026,6 +47445,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ Exclusions_ExtensionsList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions
+ Exclusions_ExtensionsLastWrite
@@ -42035,8 +47458,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42050,6 +47473,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ Exclusions_ProcessesList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions
+ Exclusions_ProcessesLastWrite
@@ -42059,8 +47486,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42073,6 +47500,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phoneLastWrite
@@ -42083,8 +47511,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42097,7 +47525,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ RealtimeProtection_RealtimeScanDirection
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_RealtimeScanDirectionLowestValueMostSecure
@@ -42107,8 +47540,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -42121,7 +47554,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_ScanParameters
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScanParametersLastWrite
@@ -42131,8 +47569,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 120
+
@@ -42145,7 +47583,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_ScheduleQuickScantime
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScheduleQuickScantimeLastWrite
@@ -42155,8 +47598,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42169,7 +47612,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_ScheduleDay
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScheduleDayLastWrite
@@ -42179,8 +47627,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 120
+
@@ -42193,7 +47641,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_ScheduleTime
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScheduleTimeLastWrite
@@ -42203,8 +47656,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 8
+
@@ -42217,7 +47670,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ SignatureUpdate_SignatureUpdateInterval
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate
+ SignatureUpdate_SignatureUpdateIntervalLastWrite
@@ -42227,8 +47685,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -42241,7 +47699,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ SubmitSamplesConsent
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet
+ SubmitSamplesConsentHighestValueMostSecure
@@ -42251,8 +47714,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42266,6 +47729,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ Threats_ThreatSeverityDefaultActionList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Threats
+ Threats_ThreatSeverityDefaultActionLastWrite
@@ -42295,8 +47762,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 10
+
@@ -42309,7 +47776,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ AbsoluteMaxCacheSize
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ AbsoluteMaxCacheSizeLastWrite
@@ -42319,8 +47790,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42334,20 +47805,23 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ AllowVPNPeerCaching
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ AllowVPNPeerCachingLowestValueMostSecure
- DOCacheHost
+ DODelayBackgroundDownloadFromHttp
+ 0
-
-
+
@@ -42358,7 +47832,39 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ DelayBackgroundDownloadFromHttp
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ DelayBackgroundDownloadFromHttp
+ LastWrite
+
+
+
+ DODelayForegroundDownloadFromHttp
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ DelayForegroundDownloadFromHttp
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ DelayForegroundDownloadFromHttpLastWrite
@@ -42368,8 +47874,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -42383,7 +47889,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ DownloadMode
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ DownloadModeLastWrite
@@ -42393,8 +47902,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42407,7 +47916,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ GroupId
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ GroupId
+ LastWrite
+
+
+
+ DOGroupIdSource
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ GroupIdSource
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ GroupIdSourceLastWrite
@@ -42417,8 +47957,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 259200
+
@@ -42431,7 +47971,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxCacheAge
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxCacheAgeLastWrite
@@ -42441,8 +47985,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 20
+
@@ -42455,7 +47999,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxCacheSize
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxCacheSizeLastWrite
@@ -42465,8 +48013,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42479,7 +48027,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxDownloadBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxDownloadBandwidthLastWrite
@@ -42489,8 +48041,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42503,7 +48055,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxUploadBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxUploadBandwidthLastWrite
@@ -42513,8 +48069,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 500
+
@@ -42527,7 +48083,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinBackgroundQos
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinBackgroundQosLastWrite
@@ -42537,8 +48097,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42551,7 +48111,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinBatteryPercentageAllowedToUpload
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinBatteryPercentageAllowedToUploadLastWrite
@@ -42561,8 +48125,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 32
+
@@ -42575,7 +48139,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinDiskSizeAllowedToPeer
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinDiskSizeAllowedToPeerLastWrite
@@ -42585,8 +48153,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 100
+
@@ -42599,7 +48167,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinFileSizeToCache
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinFileSizeToCacheLastWrite
@@ -42609,8 +48181,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 4
+
@@ -42623,7 +48195,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinRAMAllowedToPeer
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinRAMAllowedToPeerLastWrite
@@ -42633,8 +48209,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- %SystemDrive%
+
@@ -42647,7 +48223,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ ModifyCacheDrive
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ ModifyCacheDriveLastWrite
@@ -42657,8 +48236,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 20
+
@@ -42671,7 +48250,39 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MonthlyUploadDataCap
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MonthlyUploadDataCap
+ LastWrite
+
+
+
+ DOPercentageMaxBackgroundBandwidth
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ PercentageMaxBackgroundBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ PercentageMaxBackgroundBandwidthLastWrite
@@ -42681,8 +48292,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42695,10 +48306,191 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phoneLastWrite
+
+ DOPercentageMaxForegroundBandwidth
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ PercentageMaxForegroundBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ PercentageMaxForegroundBandwidth
+ LastWrite
+
+
+
+ DORestrictPeerSelectionBy
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ RestrictPeerSelectionBy
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ RestrictPeerSelectionBy
+ LastWrite
+
+
+
+ DOSetHoursToLimitBackgroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ DeliveryOptimization.admx
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ SetHoursToLimitBackgroundDownloadBandwidth
+ LastWrite
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+ DOSetHoursToLimitForegroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ DeliveryOptimization.admx
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ SetHoursToLimitForegroundDownloadBandwidth
+ LastWrite
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ DeviceGuard
@@ -42725,8 +48517,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Turns On Virtualization Based Security(VBS)0
+ Turns On Virtualization Based Security(VBS)
@@ -42741,6 +48533,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ DeviceGuard.admx
+ DeviceGuard~AT~System~DeviceGuardCategory
+ VirtualizationBasedSecurityHighestValueMostSecure
@@ -42750,8 +48545,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.0
+ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.
@@ -42766,6 +48561,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ DeviceGuard.admx
+ CredentialIsolationDrop
+ DeviceGuard~AT~System~DeviceGuardCategory
+ VirtualizationBasedSecurityLowestValueMostSecureZeroHasNoLimits
@@ -42775,8 +48574,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.1
+ Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.
@@ -42791,6 +48590,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ DeviceGuard.admx
+ RequirePlatformSecurityFeaturesDrop
+ DeviceGuard~AT~System~DeviceGuardCategory
+ VirtualizationBasedSecurityHighestValueMostSecure
@@ -42820,8 +48623,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42847,8 +48650,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42894,8 +48697,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether the user must input a PIN or password when the device resumes from an idle state.1
+ Specifies whether the user must input a PIN or password when the device resumes from an idle state.
@@ -42919,8 +48722,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.0
+ Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
@@ -42933,6 +48736,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LastWrite
@@ -42942,8 +48746,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords.1
+ Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords.
@@ -42956,6 +48760,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -42965,8 +48770,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 02
+ Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0
@@ -42979,6 +48784,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -42988,8 +48794,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether device lock is enabled.1
+ Specifies whether device lock is enabled.
@@ -43002,6 +48808,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -43011,8 +48818,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies when the password expires (in days).0
+ Specifies when the password expires (in days).
@@ -43025,6 +48832,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecureZeroHasNoLimits
@@ -43034,8 +48842,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies how many passwords can be stored in the history that can’t be used.0
+ Specifies how many passwords can be stored in the history that can’t be used.
@@ -43048,6 +48856,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecure
@@ -43057,8 +48866,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -43081,8 +48890,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -43104,8 +48913,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -43118,6 +48927,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecureZeroHasNoLimits
@@ -43127,8 +48937,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.0
+ The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
@@ -43141,6 +48951,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecureZeroHasNoLimits
@@ -43150,8 +48961,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Sets the maximum timeout value for the external display.0
+ Sets the maximum timeout value for the external display.
@@ -43164,6 +48975,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ desktopLowestValueMostSecure
@@ -43174,8 +48986,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.1
+ The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
@@ -43188,6 +49000,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecure
@@ -43197,8 +49010,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies the minimum number or characters required in the PIN or password.4
+ Specifies the minimum number or characters required in the PIN or password.
@@ -43211,6 +49024,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecureZeroHasNoLimits
@@ -43220,12 +49034,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 1This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.
The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.
- 1
@@ -43238,8 +49052,38 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+
+ phone
+ Windows Settings~Security Settings~Account Policies~Password Policy
+ Minimum password age
+ HighestValueMostSecure
+
+
+
+ PreventEnablingLockScreenCamera
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+ phone
- HighestValueMostSecure
+ ControlPanelDisplay.admx
+ ControlPanelDisplay~AT~ControlPanel~Personalization
+ CPL_Personalization_NoLockScreenCamera
+ LastWrite
@@ -43248,8 +49092,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43275,8 +49119,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.10
+ Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
@@ -43289,6 +49133,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ LastWrite
@@ -43313,13 +49158,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- TurnOffGdiDPIScalingForApps
+ DisablePerProcessDpiForApps
- This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+ This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
@@ -43333,6 +49178,95 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plainphone
+ Display.admx
+ DisplayDisablePerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LastWrite
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Display.admx
+ DisplayGlobalPerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LowestValueMostSecure
+
+
+
+ EnablePerProcessDpiForApps
+
+
+
+
+
+ This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Display.admx
+ DisplayEnablePerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LastWrite
+
+
+
+ TurnOffGdiDPIScalingForApps
+
+
+
+
+
+ This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Display.admx
+ DisplayTurnOffGdiDPIScalingPrompt
+ Display~AT~System~DisplayCat
+ DisplayTurnOffGdiDPIScalingLastWrite
@@ -43342,8 +49276,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+ This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
@@ -43357,6 +49291,10 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plainphone
+ Display.admx
+ DisplayTurnOnGdiDPIScalingPrompt
+ Display~AT~System~DisplayCat
+ DisplayTurnOnGdiDPIScalingLastWrite
@@ -43386,8 +49324,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43413,8 +49351,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43440,8 +49378,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43467,8 +49405,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43494,8 +49432,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43541,8 +49479,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43568,8 +49506,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43595,8 +49533,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43622,8 +49560,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43669,8 +49607,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43694,8 +49632,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43709,6 +49647,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowCortanaLowestValueMostSecure
@@ -43718,8 +49659,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43742,8 +49683,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43757,6 +49698,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ FindMy.admx
+ FindMy~AT~WindowsComponents~FindMyDeviceCat
+ FindMy_AllowFindMyDeviceConfigLowestValueMostSecure
@@ -43766,8 +49710,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43790,8 +49734,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43814,8 +49758,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43838,8 +49782,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43862,8 +49806,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43886,8 +49830,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43910,8 +49854,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43935,8 +49879,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43955,13 +49899,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- AllowWindowsTips
+ AllowWindowsConsumerFeatures
+ 0
- 1
@@ -43976,17 +49920,20 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsConsumerFeaturesLowestValueMostSecure
- DoNotShowFeedbackNotifications
+ AllowWindowsTips
+ 1
- 0
@@ -43999,6 +49946,38 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+
+ phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableSoftLanding
+ LowestValueMostSecure
+
+
+
+ DoNotShowFeedbackNotifications
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ FeedbackNotifications.admx
+ FeedbackNotifications~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ DoNotShowFeedbackNotificationsHighestValueMostSecure
@@ -44028,8 +50007,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44042,6 +50021,84 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ ExploitGuard.admx
+ ExploitProtection_Name
+ ExploitGuard~AT~WindowsComponents~WindowsDefenderExploitGuard~ExploitProtection
+ ExploitProtection_Name
+ LastWrite
+
+
+
+
+ FileExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOffDataExecutionPreventionForExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Explorer.admx
+ Explorer~AT~WindowsExplorer
+ NoDataExecutionPrevention
+ LastWrite
+
+
+
+ TurnOffHeapTerminationOnCorruption
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Explorer.admx
+ Explorer~AT~WindowsExplorer
+ NoHeapTerminationOnCorruptionLastWrite
@@ -44071,8 +50128,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services.1
+ Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services.
@@ -44115,8 +50172,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen0
+ Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen
@@ -44131,6 +50188,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ Handwriting.admx
+ Handwriting~AT~WindowsComponents~Handwriting
+ PanelDefaultModeDockedLowestValueMostSecure
@@ -44160,8 +50220,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44187,8 +50247,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44214,8 +50274,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44241,8 +50301,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44268,8 +50328,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44295,8 +50355,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44322,8 +50382,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44349,8 +50409,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44376,8 +50436,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44403,8 +50463,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44430,8 +50490,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44457,8 +50517,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44484,8 +50544,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44511,8 +50571,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44538,8 +50598,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44565,8 +50625,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44592,8 +50652,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44619,8 +50679,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44646,8 +50706,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44673,8 +50733,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44700,8 +50760,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44727,8 +50787,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44754,8 +50814,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44781,8 +50841,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44808,8 +50868,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44835,8 +50895,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44862,8 +50922,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44889,8 +50949,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44905,8 +50965,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction
- IESF_PolicyExplorerProcesses_2
+ inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling
+ IESF_PolicyExplorerProcesses_5LastWrite
@@ -44916,8 +50976,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44943,8 +51003,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44970,8 +51030,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44997,8 +51057,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45024,8 +51084,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45051,8 +51111,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45078,8 +51138,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45105,8 +51165,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45132,8 +51192,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45159,8 +51219,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45186,8 +51246,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45213,8 +51273,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45240,8 +51300,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45267,8 +51327,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45294,8 +51354,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45321,8 +51381,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45348,8 +51408,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45375,8 +51435,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45402,8 +51462,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45429,8 +51489,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45456,8 +51516,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45483,8 +51543,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45510,8 +51570,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45537,8 +51597,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45564,8 +51624,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45591,8 +51651,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45618,8 +51678,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45645,8 +51705,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45672,8 +51732,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45699,8 +51759,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45726,8 +51786,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45753,8 +51813,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45780,8 +51840,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45807,8 +51867,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45834,8 +51894,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45861,8 +51921,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45888,8 +51948,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45915,8 +51975,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45942,8 +52002,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45969,8 +52029,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45996,8 +52056,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46023,8 +52083,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46050,8 +52110,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46071,14 +52131,41 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
LastWrite
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyAllowVBScript_1
+ LastWrite
+
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -46104,8 +52191,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46131,8 +52218,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46158,8 +52245,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46185,8 +52272,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46212,8 +52299,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46239,8 +52326,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46266,8 +52353,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46293,8 +52380,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46320,8 +52407,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46347,8 +52434,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46374,8 +52461,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46401,8 +52488,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46428,8 +52515,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46455,8 +52542,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46482,8 +52569,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46509,8 +52596,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46536,8 +52623,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46563,8 +52650,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46590,8 +52677,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46617,8 +52704,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46644,8 +52731,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46671,8 +52758,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46698,8 +52785,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46725,8 +52812,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46752,8 +52839,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46779,8 +52866,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46806,8 +52893,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46833,8 +52920,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46860,8 +52947,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46887,8 +52974,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46914,8 +53001,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46941,8 +53028,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46968,8 +53055,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46995,8 +53082,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47022,8 +53109,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47049,8 +53136,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47076,8 +53163,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47103,8 +53190,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47130,8 +53217,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47157,8 +53244,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47184,8 +53271,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47211,8 +53298,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47238,8 +53325,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47265,8 +53352,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47292,8 +53379,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47319,8 +53406,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47346,8 +53433,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47373,8 +53460,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47400,8 +53487,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47427,8 +53514,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47454,8 +53541,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47481,8 +53568,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47508,8 +53595,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47535,8 +53622,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47556,14 +53643,41 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
LastWrite
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown
+ IZ_PolicyJavaPermissions_4
+ LastWrite
+
+ LockedDownIntranetZoneAllowAccessToDataSources
-
+
@@ -47589,8 +53703,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47616,8 +53730,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47643,8 +53757,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47670,8 +53784,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47697,8 +53811,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47724,8 +53838,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47751,8 +53865,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47778,8 +53892,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47805,8 +53919,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47832,8 +53946,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47859,8 +53973,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47886,8 +54000,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47913,8 +54027,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47940,8 +54054,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47967,8 +54081,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47994,8 +54108,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48021,8 +54135,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48048,8 +54162,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48075,8 +54189,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48102,8 +54216,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48129,8 +54243,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48156,8 +54270,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48183,8 +54297,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48210,8 +54324,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48237,8 +54351,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48264,8 +54378,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48291,8 +54405,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48318,8 +54432,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48345,8 +54459,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48372,8 +54486,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48399,8 +54513,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48426,8 +54540,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48453,8 +54567,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48480,8 +54594,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48507,8 +54621,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48534,8 +54648,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48561,8 +54675,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48588,8 +54702,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48615,8 +54729,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48642,8 +54756,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48669,8 +54783,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48696,8 +54810,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48723,8 +54837,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48750,8 +54864,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48777,8 +54891,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48804,8 +54918,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48831,8 +54945,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48858,8 +54972,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48885,8 +54999,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48912,8 +55026,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48939,8 +55053,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48966,8 +55080,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48993,8 +55107,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49020,8 +55134,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49047,8 +55161,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49074,8 +55188,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49101,8 +55215,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49128,8 +55242,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49155,8 +55269,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49182,8 +55296,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49209,8 +55323,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49236,8 +55350,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49263,8 +55377,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49290,8 +55404,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49317,8 +55431,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49344,8 +55458,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49371,8 +55485,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49398,8 +55512,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49425,8 +55539,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49452,8 +55566,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49479,8 +55593,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49506,8 +55620,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49533,8 +55647,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49560,8 +55674,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49587,8 +55701,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49608,14 +55722,41 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
LastWrite
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyAllowVBScript_7
+ LastWrite
+
+ RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -49641,8 +55782,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49668,8 +55809,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49695,8 +55836,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49722,8 +55863,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49749,8 +55890,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49776,8 +55917,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49803,8 +55944,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49830,8 +55971,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49857,8 +55998,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49884,8 +56025,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49911,8 +56052,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49938,8 +56079,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49965,8 +56106,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49992,8 +56133,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50019,8 +56160,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50046,8 +56187,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50073,8 +56214,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50100,8 +56241,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50127,8 +56268,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50154,8 +56295,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50181,8 +56322,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50208,8 +56349,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50230,13 +56371,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- SecurityZonesUseOnlyMachineSettings
+ SecurityZonesUseOnlyMachineSettings
-
+
@@ -50262,8 +56403,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50289,8 +56430,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50316,8 +56457,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50343,8 +56484,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50370,8 +56511,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50397,8 +56538,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50424,8 +56565,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50451,8 +56592,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50478,8 +56619,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50505,8 +56646,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50532,8 +56673,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50559,8 +56700,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50586,8 +56727,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50613,8 +56754,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50660,8 +56801,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50687,8 +56828,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50714,8 +56855,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50741,8 +56882,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50768,8 +56909,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50790,6 +56931,173 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ BlockedUrls
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ DefaultURL
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ EnableHomeButton
+
+
+
+
+ 0
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ EnableNavigationButtons
+
+
+
+
+ 0
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ RestartOnIdleTime
+
+
+
+
+ 0
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+ Licensing
@@ -50815,8 +57123,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -50831,6 +57139,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ AVSValidationGP.admx
+ AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform
+ AllowWindowsEntitlementReactivationLowestValueMostSecure
@@ -50840,8 +57151,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 0
+
@@ -50856,6 +57167,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ AVSValidationGP.admx
+ AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform
+ NoAcquireGTLowestValueMostSecure
@@ -50885,6 +57199,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+ 0This policy setting prevents users from adding new Microsoft accounts on this computer.
If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
@@ -50892,7 +57207,6 @@ If you select the "Users can’t add Microsoft accounts" option, users will not
If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
- 0
@@ -50907,6 +57221,8 @@ If you disable or do not configure this policy (recommended), users will be able
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Block Microsoft accountsLastWrite
@@ -50916,6 +57232,7 @@ If you disable or do not configure this policy (recommended), users will be able
+ 0This security setting determines whether the local Administrator account is enabled or disabled.
Notes
@@ -50926,7 +57243,6 @@ Disabling the Administrator account can become a maintenance issue under certain
Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
Default: Disabled.
- 0
@@ -50939,7 +57255,10 @@ Default: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Administrator account statusLastWrite
@@ -50949,12 +57268,12 @@ Default: Disabled.
+ 0This security setting determines if the Guest account is enabled or disabled.
Default: Disabled.
Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
- 0
@@ -50967,7 +57286,10 @@ Note: If the Guest account is disabled and the security option Network Access: S
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Guest account statusLastWrite
@@ -50977,6 +57299,7 @@ Note: If the Guest account is disabled and the security option Network Access: S
+ 1Accounts: Limit local account use of blank passwords to console logon only
This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
@@ -50993,7 +57316,6 @@ Notes
This setting does not affect logons that use domain accounts.
It is possible for applications that use remote interactive logons to bypass this setting.
- 1
@@ -51006,7 +57328,10 @@ It is possible for applications that use remote interactive logons to bypass thi
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Limit local account use of blank passwords to console logon onlyLastWrite
@@ -51016,12 +57341,12 @@ It is possible for applications that use remote interactive logons to bypass thi
+ AdministratorAccounts: Rename administrator account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
Default: Administrator.
- Administrator
@@ -51035,6 +57360,8 @@ Default: Administrator.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Rename administrator accountLastWrite
@@ -51044,12 +57371,12 @@ Default: Administrator.
+ GuestAccounts: Rename guest account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
Default: Guest.
- Guest
@@ -51063,6 +57390,8 @@ Default: Guest.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Rename guest accountLastWrite
@@ -51072,6 +57401,7 @@ Default: Guest.
+ 0Devices: Allowed to format and eject removable media
This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:
@@ -51080,7 +57410,6 @@ Administrators
Administrators and Interactive Users
Default: This policy is not defined and only Administrators have this ability.
- 0
@@ -51094,6 +57423,8 @@ Default: This policy is not defined and only Administrators have this ability.text/plain
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Allowed to format and eject removable mediaLastWrite
@@ -51103,13 +57434,13 @@ Default: This policy is not defined and only Administrators have this ability.
+ 1Devices: Allow undock without having to log on
This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
Default: Enabled.
Caution
Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
- 1
@@ -51122,7 +57453,10 @@ Disabling this policy may tempt users to try and physically remove the laptop fr
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Allow undock without having to log onLastWrite
@@ -51132,6 +57466,7 @@ Disabling this policy may tempt users to try and physically remove the laptop fr
+ 0Devices: Prevent users from installing printer drivers when connecting to shared printers
For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.
@@ -51143,7 +57478,6 @@ Notes
This setting does not affect the ability to add a local printer.
This setting does not affect Administrators.
- 0
@@ -51156,7 +57490,10 @@ This setting does not affect Administrators.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Prevent users from installing printer driversLastWrite
@@ -51166,6 +57503,7 @@ This setting does not affect Administrators.
+ 0Devices: Restrict CD-ROM access to locally logged-on user only
This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.
@@ -51173,7 +57511,6 @@ This security setting determines whether a CD-ROM is accessible to both local an
If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network.
Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
- 0
@@ -51187,6 +57524,245 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Restrict CD-ROM access to locally logged-on user only
+ LastWrite
+
+
+
+ DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+
+
+
+
+ 1
+ Domain member: Digitally encrypt or sign secure channel data (always)
+
+This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
+
+Domain member: Digitally encrypt secure channel data (when possible)
+Domain member: Digitally sign secure channel data (when possible)
+
+Default: Enabled.
+
+Notes:
+
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Digitally encrypt or sign secure channel data (always)
+ LastWrite
+
+
+
+ DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+
+
+
+
+ 1
+ Domain member: Digitally encrypt secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
+
+Default: Enabled.
+
+Important
+
+There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Digitally encrypt secure channel data (when possible)
+ LastWrite
+
+
+
+ DomainMember_DigitallySignSecureChannelDataWhenPossible
+
+
+
+
+ 1
+ Domain member: Digitally sign secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
+
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Digitally sign secure channel data (when possible)
+ LastWrite
+
+
+
+ DomainMember_DisableMachineAccountPasswordChanges
+
+
+
+
+ 0
+ Domain member: Disable machine account password changes
+
+Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
+
+Default: Disabled.
+
+Notes
+
+This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
+This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Disable machine account password changes
+ LastWrite
+
+
+
+ DomainMember_MaximumMachineAccountPasswordAge
+
+
+
+
+ 30
+ Domain member: Maximum machine account password age
+
+This security setting determines how often a domain member will attempt to change its computer account password.
+
+Default: 30 days.
+
+Important
+
+This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Maximum machine account password age
+ LowestValueMostSecure
+
+
+
+ DomainMember_RequireStrongSessionKey
+
+
+
+
+ 1
+ Domain member: Require strong (Windows 2000 or later) session key
+
+This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on.
+
+Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:
+
+Domain member: Digitally encrypt or sign secure channel data (always)
+Domain member: Digitally encrypt secure channel data (when possible)
+Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.
+
+If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.
+
+Default: Enabled.
+
+Important
+
+In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
+In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Require strong (Windows 2000 or later) session keyLastWrite
@@ -51196,11 +57772,11 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
+ 1Interactive Logon:Display user information when the session is locked
User display name, domain and user names (1)
User display name only (2)
Do not display user information (3)
- 1
@@ -51213,7 +57789,10 @@ Do not display user information (3)
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Display user information when the session is lockedLastWrite
@@ -51223,6 +57802,7 @@ Do not display user information (3)
+ 0Interactive logon: Don't display last signed-in
This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
If this policy is enabled, the username will not be shown.
@@ -51230,7 +57810,6 @@ If this policy is enabled, the username will not be shown.
If this policy is disabled, the username will be shown.
Default: Disabled.
- 0
@@ -51243,7 +57822,10 @@ Default: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Don't display last signed-inLastWrite
@@ -51253,6 +57835,7 @@ Default: Disabled.
+ 1Interactive logon: Don't display username at sign-in
This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
If this policy is enabled, the username will not be shown.
@@ -51260,7 +57843,6 @@ If this policy is enabled, the username will not be shown.
If this policy is disabled, the username will be shown.
Default: Disabled.
- 1
@@ -51273,7 +57855,10 @@ Default: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Don't display username at sign-inLastWrite
@@ -51283,6 +57868,7 @@ Default: Disabled.
+ 1Interactive logon: Do not require CTRL+ALT+DEL
This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
@@ -51293,7 +57879,6 @@ If this policy is disabled, any user is required to press CTRL+ALT+DEL before lo
Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier.
Default on stand-alone computers: Enabled.
- 1
@@ -51306,7 +57891,10 @@ Default on stand-alone computers: Enabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Do not require CTRL+ALT+DELLastWrite
@@ -51316,12 +57904,12 @@ Default on stand-alone computers: Enabled.
+ 0Interactive logon: Machine inactivity limit.
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
Default: not enforced.
- 0
@@ -51334,7 +57922,10 @@ Default: not enforced.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Machine inactivity limitLastWrite
@@ -51344,6 +57935,7 @@ Default: not enforced.
+ Interactive logon: Message text for users attempting to log on
This security setting specifies a text message that is displayed to users when they log on.
@@ -51351,7 +57943,6 @@ This security setting specifies a text message that is displayed to users when t
This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
Default: No message.
-
@@ -51365,6 +57956,8 @@ Default: No message.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Message text for users attempting to log onLastWrite0xF000
@@ -51375,12 +57968,12 @@ Default: No message.
+ Interactive logon: Message title for users attempting to log on
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
Default: No message.
-
@@ -51394,23 +57987,40 @@ Default: No message.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Message title for users attempting to log onLastWrite
- NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
+ InteractiveLogon_SmartCardRemovalBehavior
- Network access: Restrict clients allowed to make remote calls to SAM
+ 0
+ Interactive logon: Smart card removal behavior
-This policy setting allows you to restrict remote rpc connections to SAM.
+This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
-If not selected, the default security descriptor will be used.
+The options are:
-This policy is supported on at least Windows Server 2016.
-
+ No Action
+ Lock Workstation
+ Force Logoff
+ Disconnect if a Remote Desktop Services session
+
+If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
+
+If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.
+
+If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
+
+Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+Default: This policy is not defined, which means that the system treats it as No action.
+
+On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
@@ -51424,19 +58034,41 @@ This policy is supported on at least Windows Server 2016.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Smart card removal behaviorLastWrite
- NetworkSecurity_AllowPKU2UAuthenticationRequests
+ MicrosoftNetworkClient_DigitallySignCommunicationsAlways
- Network security: Allow PKU2U authentication requests to this computer to use online identities.
+ 0
+ Microsoft network client: Digitally sign communications (always)
-This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
- 1
+This security setting determines whether packet signing is required by the SMB client component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
+
+If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
+
+Default: Disabled.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
@@ -51449,16 +58081,579 @@ This policy will be turned off by default on domain joined machines. This would
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network client: Digitally sign communications (always)LastWrite
+
+ MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
+
+
+
+
+ 1
+ Microsoft network client: Digitally sign communications (if server agrees)
+
+This security setting determines whether the SMB client attempts to negotiate SMB packet signing.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.
+
+If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network client: Digitally sign communications (if server agrees)
+ LastWrite
+
+
+
+ MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
+
+
+
+
+ 0
+ Microsoft network client: Send unencrypted password to connect to third-party SMB servers
+
+If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
+
+Sending unencrypted passwords is a security risk.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network client: Send unencrypted password to third-party SMB servers
+ LastWrite
+
+
+
+ MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
+
+
+
+ 15
+ Microsoft network server: Amount of idle time required before suspending a session
+
+This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
+
+Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
+
+For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
+
+Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network server: Amount of idle time required before suspending session
+ LowestValueMostSecure
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsAlways
+
+
+
+
+ 0
+ Microsoft network server: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB server component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
+
+If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
+
+Default:
+
+Disabled for member servers.
+Enabled for domain controllers.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy:
+Microsoft network server: Digitally sign communications (if server agrees)
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server:
+HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network server: Digitally sign communications (always)
+ LastWrite
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
+
+
+
+
+ 0
+ Microsoft network server: Digitally sign communications (if client agrees)
+
+This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.
+
+If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled on domain controllers only.
+
+Important
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network server: Digitally sign communications (if client agrees)
+ LastWrite
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
+
+
+
+
+ 1
+ Network access: Do not allow anonymous enumeration of SAM accounts
+
+This security setting determines what additional permissions will be granted for anonymous connections to the computer.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
+
+This security option allows additional restrictions to be placed on anonymous connections as follows:
+
+Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
+Disabled: No additional restrictions. Rely on default permissions.
+
+Default on workstations: Enabled.
+Default on server:Enabled.
+
+Important
+
+This policy has no impact on domain controllers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Do not allow anonymous enumeration of SAM accounts
+ LastWrite
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
+
+
+
+
+ 0
+ Network access: Do not allow anonymous enumeration of SAM accounts and shares
+
+This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Do not allow anonymous enumeration of SAM accounts and shares
+ LastWrite
+
+
+
+ NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
+
+
+
+
+ 1
+ Network access: Restrict anonymous access to Named Pipes and Shares
+
+When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
+
+Network access: Named pipes that can be accessed anonymously
+Network access: Shares that can be accessed anonymously
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Restrict anonymous access to Named Pipes and Shares
+ LastWrite
+
+
+
+ NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
+
+
+
+
+
+ Network access: Restrict clients allowed to make remote calls to SAM
+
+This policy setting allows you to restrict remote rpc connections to SAM.
+
+If not selected, the default security descriptor will be used.
+
+This policy is supported on at least Windows Server 2016.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Restrict clients allowed to make remote calls to SAM
+ LastWrite
+
+
+
+ NetworkSecurity_AllowPKU2UAuthenticationRequests
+
+
+
+
+ 1
+ Network security: Allow PKU2U authentication requests to this computer to use online identities.
+
+This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Allow PKU2U authentication requests to this computer to use online identities.
+ LastWrite
+
+
+
+ NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
+
+
+
+
+ 1
+ Network security: Do not store LAN Manager hash value on next password change
+
+This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
+
+
+Default on Windows Vista and above: Enabled
+Default on Windows XP: Disabled.
+
+Important
+
+Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Do not store LAN Manager hash value on next password change
+ LastWrite
+
+
+
+ NetworkSecurity_LANManagerAuthenticationLevel
+
+
+
+
+ 0
+ Network security LAN Manager authentication level
+
+This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
+
+Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
+
+Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
+
+Important
+
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM.
+
+Default:
+
+Windows 2000 and windows XP: send LM and NTLM responses
+
+Windows Server 2003: Send NTLM response only
+
+Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: LAN Manager authentication level
+ HighestValueMostSecure
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
+
+
+
+
+ 0
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+
+This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
+Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+ HighestValueMostSecure
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
+
+
+
+
+ 0
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+
+This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
+Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+ HighestValueMostSecure
+
+ Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
+ 1Shutdown: Allow system to be shut down without having to log on
This security setting determines whether a computer can be shut down without having to log on to Windows.
@@ -51469,7 +58664,6 @@ When this policy is disabled, the option to shut down the computer does not appe
Default on workstations: Enabled.
Default on servers: Disabled.
- 1
@@ -51482,7 +58676,10 @@ Default on servers: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Shutdown: Allow system to be shut down without having to log onLastWrite
@@ -51492,6 +58689,7 @@ Default on servers: Disabled.
+ 0Shutdown: Clear virtual memory pagefile
This security setting determines whether the virtual memory pagefile is cleared when the system is shut down.
@@ -51501,7 +58699,6 @@ Virtual memory support uses a system pagefile to swap pages of memory to disk wh
When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.
Default: Disabled.
- 0
@@ -51514,7 +58711,10 @@ Default: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Shutdown: Clear virtual memory pagefileLastWrite
@@ -51524,6 +58724,7 @@ Default: Disabled.
+ 0User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
@@ -51531,7 +58732,6 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
- 0
@@ -51544,7 +58744,10 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktopLastWrite
@@ -51554,6 +58757,7 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
+ 5User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
This policy setting controls the behavior of the elevation prompt for administrators.
@@ -51571,7 +58775,6 @@ The options are:
• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
- 5
@@ -51584,7 +58787,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModeLastWrite
@@ -51594,6 +58800,7 @@ The options are:
+ 3User Account Control: Behavior of the elevation prompt for standard users
This policy setting controls the behavior of the elevation prompt for standard users.
@@ -51604,7 +58811,6 @@ The options are:
• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- 3
@@ -51619,6 +58825,8 @@ The options are:
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Behavior of the elevation prompt for standard usersLastWrite
@@ -51628,6 +58836,7 @@ The options are:
+ 1User Account Control: Detect application installations and prompt for elevation
This policy setting controls the behavior of application installation detection for the computer.
@@ -51637,7 +58846,6 @@ The options are:
Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
- 1
@@ -51650,7 +58858,10 @@ Disabled: Application installation packages are not detected and prompted for el
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Detect application installations and prompt for elevationLastWrite
@@ -51660,6 +58871,7 @@ Disabled: Application installation packages are not detected and prompted for el
+ 0User Account Control: Only elevate executable files that are signed and validated
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
@@ -51669,7 +58881,6 @@ The options are:
• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
- 0
@@ -51682,7 +58893,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Only elevate executables that are signed and validatedLastWrite
@@ -51692,6 +58906,7 @@ The options are:
+ 1User Account Control: Only elevate UIAccess applications that are installed in secure locations
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
@@ -51707,7 +58922,6 @@ The options are:
• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
- 1
@@ -51720,7 +58934,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Only elevate UIAccess applications that are installed in secure locationsLastWrite
@@ -51730,6 +58947,7 @@ The options are:
+ 1User Account Control: Turn on Admin Approval Mode
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
@@ -51739,7 +58957,6 @@ The options are:
• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
- 1
@@ -51752,7 +58969,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Run all administrators in Admin Approval ModeLastWrite
@@ -51762,6 +58982,7 @@ The options are:
+ 1User Account Control: Switch to the secure desktop when prompting for elevation
This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
@@ -51771,7 +58992,6 @@ The options are:
• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
- 1
@@ -51784,7 +59004,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Switch to the secure desktop when prompting for elevationLastWrite
@@ -51794,6 +59017,7 @@ The options are:
+ 0User Account Control: Use Admin Approval Mode for the built-in Administrator account
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
@@ -51803,7 +59027,6 @@ The options are:
• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
- 0
@@ -51816,7 +59039,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Admin Approval Mode for the Built-in Administrator accountLastWrite
@@ -51826,6 +59052,7 @@ The options are:
+ 1User Account Control: Virtualize file and registry write failures to per-user locations
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
@@ -51835,7 +59062,6 @@ The options are:
• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
• Disabled: Applications that write data to protected locations fail.
- 1
@@ -51848,7 +59074,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Virtualize file and registry write failures to per-user locationsLastWrite
@@ -51878,8 +59107,8 @@ The options are:
- 0
+
@@ -51892,6 +59121,10 @@ The options are:
text/plain
+
+ LocationProviderAdm.admx
+ LocationProviderAdm~AT~LocationAndSensors~WindowsLocationProvider
+ DisableWindowsLocationProvider_1LastWrite
@@ -51921,8 +59154,8 @@ The options are:
- 1
+
@@ -51937,6 +59170,9 @@ The options are:
phone
+ EdgeUI.admx
+ EdgeUI~AT~WindowsComponents~EdgeUI
+ AllowEdgeSwipeLowestValueMostSecure
@@ -51966,8 +59202,8 @@ The options are:
- 65535
+
@@ -51990,8 +59226,8 @@ The options are:
- 65535
+
@@ -52005,6 +59241,9 @@ The options are:
text/plain
+ WinMaps.admx
+ WinMaps~AT~WindowsComponents~Maps
+ TurnOffAutoUpdateLastWrite
@@ -52034,8 +59273,8 @@ The options are:
- This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services.1
+ This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services.
@@ -52048,6 +59287,10 @@ The options are:
text/plain
+
+ messaging.admx
+ messaging~AT~WindowsComponents~Messaging_Category
+ AllowMessageSyncLowestValueMostSecure
@@ -52057,8 +59300,8 @@ The options are:
- This policy setting allows you to enable or disable the sending and receiving cellular MMS messages.1
+ This policy setting allows you to enable or disable the sending and receiving cellular MMS messages.
@@ -52071,6 +59314,7 @@ The options are:
text/plain
+ desktopLowestValueMostSecure
@@ -52081,8 +59325,8 @@ The options are:
- This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages.1
+ This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages.
@@ -52095,11 +59339,295 @@ The options are:
text/plain
+ desktopLowestValueMostSecure
+
+ MSSecurityGuide
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyUACRestrictionsToLocalAccountsOnNetworkLogon
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0201_LATFP
+ LastWrite
+
+
+
+ ConfigureSMBV1ClientDriver
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0002_SMBv1_ClientDriver
+ LastWrite
+
+
+
+ ConfigureSMBV1Server
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0001_SMBv1_Server
+ LastWrite
+
+
+
+ EnableStructuredExceptionHandlingOverwriteProtection
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0102_SEHOP
+ LastWrite
+
+
+
+ WDigestAuthentication
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0202_WDigestAuthn
+ LastWrite
+
+
+
+
+ MSSLegacy
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_EnableICMPRedirect
+ LastWrite
+
+
+
+ AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_NoNameReleaseOnDemand
+ LastWrite
+
+
+
+ IPSourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_DisableIPSourceRouting
+ LastWrite
+
+
+
+ IPv6SourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_DisableIPSourceRoutingIPv6
+ LastWrite
+
+
+ NetworkIsolation
@@ -52125,8 +59653,8 @@ The options are:
-
+
@@ -52139,6 +59667,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_EnterpriseCloudResourcesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_EnterpriseCloudResourcesLastWrite
@@ -52148,8 +59680,8 @@ The options are:
-
+
@@ -52162,6 +59694,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_Intranet_ProxiesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Intranet_ProxiesLastWrite
@@ -52171,8 +59707,8 @@ The options are:
-
+
@@ -52185,6 +59721,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_PrivateSubnetBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_PrivateSubnetLastWrite
@@ -52194,8 +59734,8 @@ The options are:
- 0
+
@@ -52208,6 +59748,10 @@ The options are:
text/plain
+
+ NetworkIsolation.admx
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Authoritative_SubnetLastWrite
@@ -52217,8 +59761,8 @@ The options are:
-
+
@@ -52240,8 +59784,8 @@ The options are:
-
+
@@ -52254,6 +59798,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_Domain_ProxiesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Domain_ProxiesLastWrite
@@ -52263,8 +59811,8 @@ The options are:
- 0
+
@@ -52277,6 +59825,10 @@ The options are:
text/plain
+
+ NetworkIsolation.admx
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Authoritative_ProxiesLastWrite
@@ -52286,8 +59838,8 @@ The options are:
-
+
@@ -52300,10 +59852,61 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_NeutralResourcesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_NeutralResourcesLastWrite
+
+ Notifications
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DisallowCloudNotification
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ WPN.admx
+ WPN~AT~StartMenu~NotificationsCategory
+ NoCloudNotification
+ LowestValueMostSecure
+
+
+ Power
@@ -52323,14 +59926,41 @@ The options are:
+
+ AllowStandbyStatesWhenSleepingOnBattery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ power.admx
+ Power~AT~System~PowerManagementCat~PowerSleepSettingsCat
+ AllowStandbyStatesDC_2
+ LastWrite
+
+ AllowStandbyWhenSleepingPluggedIn
-
+
@@ -52356,8 +59986,8 @@ The options are:
-
+
@@ -52383,8 +60013,8 @@ The options are:
-
+
@@ -52410,8 +60040,8 @@ The options are:
-
+
@@ -52437,8 +60067,8 @@ The options are:
-
+
@@ -52464,8 +60094,8 @@ The options are:
-
+
@@ -52491,8 +60121,8 @@ The options are:
-
+
@@ -52518,8 +60148,8 @@ The options are:
-
+
@@ -52545,8 +60175,8 @@ The options are:
-
+
@@ -52592,8 +60222,8 @@ The options are:
-
+
@@ -52619,8 +60249,8 @@ The options are:
-
+
@@ -52666,8 +60296,8 @@ The options are:
- 0
+
@@ -52690,8 +60320,8 @@ The options are:
- 1
+
@@ -52706,6 +60336,9 @@ The options are:
10.0.10240
+ Globalization.admx
+ Globalization~AT~ControlPanel~RegionalOptions
+ AllowInputPersonalizationLowestValueMostSecure
@@ -52715,8 +60348,8 @@ The options are:
- 65535
+
@@ -52730,6 +60363,9 @@ The options are:
text/plain
+ UserProfiles.admx
+ UserProfiles~AT~System~UserProfiles
+ DisableAdvertisingIdLowestValueMostSecureZeroHasNoLimits
@@ -52739,8 +60375,8 @@ The options are:
- Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user.1
+ Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user.
@@ -52754,6 +60390,9 @@ The options are:
text/plain
+ OSPolicy.admx
+ OSPolicy~AT~System~PolicyPolicies
+ EnableActivityFeedHighestValueMostSecure
@@ -52763,8 +60402,8 @@ The options are:
- This policy setting specifies whether Windows apps can access account information.0
+ This policy setting specifies whether Windows apps can access account information.
@@ -52777,6 +60416,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfoHighestValueMostSecure
@@ -52786,8 +60430,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -52800,6 +60444,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfoLastWrite;
@@ -52810,8 +60458,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -52824,6 +60472,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfoLastWrite;
@@ -52834,8 +60486,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -52848,6 +60500,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfoLastWrite;
@@ -52858,8 +60514,8 @@ The options are:
- This policy setting specifies whether Windows apps can access the calendar.0
+ This policy setting specifies whether Windows apps can access the calendar.
@@ -52872,6 +60528,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessCalendar_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendarHighestValueMostSecure
@@ -52881,8 +60542,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -52895,6 +60556,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCalendar_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendarLastWrite;
@@ -52905,8 +60570,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -52919,6 +60584,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCalendar_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendarLastWrite;
@@ -52929,8 +60598,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -52943,6 +60612,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCalendar_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendarLastWrite;
@@ -52953,8 +60626,8 @@ The options are:
- This policy setting specifies whether Windows apps can access call history.0
+ This policy setting specifies whether Windows apps can access call history.
@@ -52967,6 +60640,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistoryHighestValueMostSecure
@@ -52976,8 +60654,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -52990,6 +60668,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistoryLastWrite;
@@ -53000,8 +60682,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -53014,6 +60696,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistoryLastWrite;
@@ -53024,8 +60710,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -53038,6 +60724,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistoryLastWrite;
@@ -53048,8 +60738,8 @@ The options are:
- This policy setting specifies whether Windows apps can access the camera.0
+ This policy setting specifies whether Windows apps can access the camera.
@@ -53062,6 +60752,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessCamera_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCameraHighestValueMostSecure
@@ -53071,8 +60766,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53085,6 +60780,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCamera_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCameraLastWrite;
@@ -53095,8 +60794,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53109,6 +60808,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCamera_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCameraLastWrite;
@@ -53119,8 +60822,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53133,6 +60836,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCamera_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCameraLastWrite;
@@ -53143,8 +60850,8 @@ The options are:
- This policy setting specifies whether Windows apps can access contacts.0
+ This policy setting specifies whether Windows apps can access contacts.
@@ -53157,6 +60864,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessContacts_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContactsHighestValueMostSecure
@@ -53166,8 +60878,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -53180,6 +60892,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessContacts_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContactsLastWrite;
@@ -53190,8 +60906,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -53204,6 +60920,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessContacts_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContactsLastWrite;
@@ -53214,8 +60934,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -53228,6 +60948,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessContacts_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContactsLastWrite;
@@ -53238,8 +60962,8 @@ The options are:
- This policy setting specifies whether Windows apps can access email.0
+ This policy setting specifies whether Windows apps can access email.
@@ -53252,6 +60976,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessEmail_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmailHighestValueMostSecure
@@ -53261,8 +60990,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -53275,6 +61004,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessEmail_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmailLastWrite;
@@ -53285,8 +61018,88 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessEmail_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmail
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessEmail_UserInControlOfTheseApps
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessEmail_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmail
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessGazeInput
+
+
+
+
+ 0
+ This policy setting specifies whether Windows apps can access the eye tracker.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ LetAppsAccessGazeInput_ForceAllowTheseApps
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
@@ -53304,13 +61117,37 @@ The options are:
- LetAppsAccessEmail_UserInControlOfTheseApps
+ LetAppsAccessGazeInput_ForceDenyTheseApps
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessGazeInput_UserInControlOfTheseApps
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
@@ -53333,8 +61170,8 @@ The options are:
- This policy setting specifies whether Windows apps can access location.0
+ This policy setting specifies whether Windows apps can access location.
@@ -53347,6 +61184,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessLocation_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocationHighestValueMostSecure
@@ -53356,8 +61198,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -53370,6 +61212,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessLocation_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocationLastWrite;
@@ -53380,8 +61226,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -53394,6 +61240,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessLocation_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocationLastWrite;
@@ -53404,8 +61254,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -53418,6 +61268,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessLocation_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocationLastWrite;
@@ -53428,8 +61282,8 @@ The options are:
- This policy setting specifies whether Windows apps can read or send messages (text or MMS).0
+ This policy setting specifies whether Windows apps can read or send messages (text or MMS).
@@ -53442,6 +61296,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessMessaging_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessagingHighestValueMostSecure
@@ -53451,8 +61310,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -53465,6 +61324,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMessaging_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessagingLastWrite;
@@ -53475,8 +61338,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -53489,6 +61352,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMessaging_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessagingLastWrite;
@@ -53499,8 +61366,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -53513,6 +61380,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMessaging_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessagingLastWrite;
@@ -53523,8 +61394,8 @@ The options are:
- This policy setting specifies whether Windows apps can access the microphone.0
+ This policy setting specifies whether Windows apps can access the microphone.
@@ -53537,6 +61408,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophoneHighestValueMostSecure
@@ -53546,8 +61422,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -53560,6 +61436,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophoneLastWrite;
@@ -53570,8 +61450,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -53584,6 +61464,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophoneLastWrite;
@@ -53594,8 +61478,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -53608,6 +61492,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophoneLastWrite;
@@ -53618,8 +61506,8 @@ The options are:
- This policy setting specifies whether Windows apps can access motion data.0
+ This policy setting specifies whether Windows apps can access motion data.
@@ -53632,6 +61520,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessMotion_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotionHighestValueMostSecure
@@ -53641,8 +61534,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -53655,6 +61548,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMotion_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotionLastWrite;
@@ -53665,8 +61562,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -53679,6 +61576,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMotion_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotionLastWrite;
@@ -53689,8 +61590,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -53703,6 +61604,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMotion_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotionLastWrite;
@@ -53713,8 +61618,8 @@ The options are:
- This policy setting specifies whether Windows apps can access notifications.0
+ This policy setting specifies whether Windows apps can access notifications.
@@ -53727,6 +61632,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessNotifications_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotificationsHighestValueMostSecure
@@ -53736,8 +61646,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -53750,6 +61660,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessNotifications_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotificationsLastWrite;
@@ -53760,8 +61674,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -53774,6 +61688,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessNotifications_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotificationsLastWrite;
@@ -53784,8 +61702,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -53798,6 +61716,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessNotifications_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotificationsLastWrite;
@@ -53808,8 +61730,8 @@ The options are:
- This policy setting specifies whether Windows apps can make phone calls0
+ This policy setting specifies whether Windows apps can make phone calls
@@ -53822,6 +61744,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessPhone_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhoneHighestValueMostSecure
@@ -53831,8 +61758,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -53845,6 +61772,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessPhone_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhoneLastWrite;
@@ -53855,8 +61786,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -53869,6 +61800,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessPhone_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhoneLastWrite;
@@ -53879,8 +61814,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -53893,6 +61828,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessPhone_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhoneLastWrite;
@@ -53903,8 +61842,8 @@ The options are:
- This policy setting specifies whether Windows apps have access to control radios.0
+ This policy setting specifies whether Windows apps have access to control radios.
@@ -53917,6 +61856,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessRadios_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadiosHighestValueMostSecure
@@ -53926,8 +61870,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -53940,6 +61884,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessRadios_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadiosLastWrite;
@@ -53950,8 +61898,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -53964,6 +61912,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessRadios_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadiosLastWrite;
@@ -53974,8 +61926,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -53988,6 +61940,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessRadios_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadiosLastWrite;
@@ -53998,8 +61954,8 @@ The options are:
- This policy setting specifies whether Windows apps can access tasks.0
+ This policy setting specifies whether Windows apps can access tasks.
@@ -54012,6 +61968,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessTasks_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasksHighestValueMostSecure
@@ -54021,8 +61982,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54035,6 +61996,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTasks_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasksLastWrite;
@@ -54045,8 +62010,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54059,6 +62024,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTasks_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasksLastWrite;
@@ -54069,8 +62038,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54083,6 +62052,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTasks_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasksLastWrite;
@@ -54093,8 +62066,8 @@ The options are:
- This policy setting specifies whether Windows apps can access trusted devices.0
+ This policy setting specifies whether Windows apps can access trusted devices.
@@ -54107,6 +62080,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevicesHighestValueMostSecure
@@ -54116,8 +62094,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -54130,6 +62108,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevicesLastWrite;
@@ -54140,8 +62122,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -54154,6 +62136,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevicesLastWrite;
@@ -54164,8 +62150,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -54178,6 +62164,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevicesLastWrite;
@@ -54188,8 +62178,8 @@ The options are:
- This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names.0
+ This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names.
@@ -54202,6 +62192,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfoHighestValueMostSecure
@@ -54211,8 +62206,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
@@ -54225,6 +62220,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfoLastWrite;
@@ -54235,8 +62234,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
@@ -54249,6 +62248,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfoLastWrite;
@@ -54259,8 +62262,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
@@ -54273,6 +62276,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfoLastWrite;
@@ -54283,8 +62290,8 @@ The options are:
- This policy setting specifies whether Windows apps can run in the background.0
+ This policy setting specifies whether Windows apps can run in the background.
@@ -54297,6 +62304,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsRunInBackground_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackgroundHighestValueMostSecure
@@ -54306,8 +62318,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
@@ -54320,6 +62332,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsRunInBackground_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackgroundLastWrite;
@@ -54330,8 +62346,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
@@ -54344,6 +62360,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsRunInBackground_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackgroundLastWrite;
@@ -54354,8 +62374,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
@@ -54368,6 +62388,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsRunInBackground_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackgroundLastWrite;
@@ -54378,8 +62402,8 @@ The options are:
- This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.0
+ This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.
@@ -54392,6 +62416,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevicesHighestValueMostSecure
@@ -54401,8 +62430,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -54415,6 +62444,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevicesLastWrite;
@@ -54425,8 +62458,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -54439,6 +62472,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevicesLastWrite;
@@ -54449,8 +62486,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -54463,6 +62500,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevicesLastWrite;
@@ -54473,8 +62514,8 @@ The options are:
- Allows apps/system to publish 'User Activities' into ActivityFeed.1
+ Allows apps/system to publish 'User Activities' into ActivityFeed.
@@ -54488,6 +62529,36 @@ The options are:
text/plain
+ OSPolicy.admx
+ OSPolicy~AT~System~PolicyPolicies
+ PublishUserActivities
+ HighestValueMostSecure
+
+
+
+ UploadUserActivities
+
+
+
+
+ 1
+ Allows ActivityFeed to upload published 'User Activities'.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ OSPolicy.admx
+ OSPolicy~AT~System~PolicyPolicies
+ UploadUserActivitiesHighestValueMostSecure
@@ -54517,8 +62588,8 @@ The options are:
-
+
@@ -54544,8 +62615,8 @@ The options are:
-
+
@@ -54571,8 +62642,8 @@ The options are:
-
+
@@ -54598,8 +62669,8 @@ The options are:
-
+
@@ -54645,8 +62716,8 @@ The options are:
-
+
@@ -54672,8 +62743,8 @@ The options are:
-
+
@@ -54699,8 +62770,8 @@ The options are:
-
+
@@ -54726,8 +62797,8 @@ The options are:
-
+
@@ -54753,8 +62824,8 @@ The options are:
-
+
@@ -54780,8 +62851,8 @@ The options are:
-
+
@@ -54827,8 +62898,8 @@ The options are:
-
+
@@ -54854,8 +62925,8 @@ The options are:
-
+
@@ -54881,8 +62952,8 @@ The options are:
-
+
@@ -54908,8 +62979,8 @@ The options are:
-
+
@@ -54935,8 +63006,8 @@ The options are:
-
+
@@ -54962,8 +63033,8 @@ The options are:
-
+
@@ -54989,8 +63060,8 @@ The options are:
-
+
@@ -55016,8 +63087,8 @@ The options are:
-
+
@@ -55043,8 +63114,8 @@ The options are:
-
+
@@ -55070,8 +63141,8 @@ The options are:
-
+
@@ -55097,8 +63168,8 @@ The options are:
-
+
@@ -55124,8 +63195,8 @@ The options are:
-
+
@@ -55151,8 +63222,8 @@ The options are:
-
+
@@ -55178,8 +63249,8 @@ The options are:
-
+
@@ -55205,8 +63276,8 @@ The options are:
-
+
@@ -55252,8 +63323,8 @@ The options are:
-
+
@@ -55279,8 +63350,8 @@ The options are:
-
+
@@ -55326,8 +63397,8 @@ The options are:
-
+
@@ -55353,8 +63424,8 @@ The options are:
-
+
@@ -55380,8 +63451,8 @@ The options are:
-
+
@@ -55407,8 +63478,8 @@ The options are:
-
+
@@ -55434,8 +63505,8 @@ The options are:
-
+
@@ -55461,8 +63532,8 @@ The options are:
-
+
@@ -55488,8 +63559,8 @@ The options are:
-
+
@@ -55510,6 +63581,51 @@ The options are:
+
+ RestrictedGroups
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConfigureGroupMembership
+
+
+
+
+
+ This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
+Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+ Search
@@ -55535,8 +63651,8 @@ The options are:
- 2
+
@@ -55549,6 +63665,39 @@ The options are:
text/plain
+
+ Search.admx
+ AllowCloudSearch_Dropdown
+ Search~AT~WindowsComponents~Search
+ AllowCloudSearch
+ LowestValueMostSecure
+
+
+
+ AllowCortanaInAAD
+
+
+
+
+ 0
+ This features allows you to show the cortana opt-in page during Windows Setup
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowCortanaInAADLowestValueMostSecure
@@ -55558,8 +63707,8 @@ The options are:
- 0
+
@@ -55573,6 +63722,9 @@ The options are:
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowIndexingEncryptedStoresOrItemsLowestValueMostSecure
@@ -55582,8 +63734,8 @@ The options are:
- 1
+
@@ -55597,6 +63749,9 @@ The options are:
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowSearchToUseLocationLowestValueMostSecure
@@ -55606,8 +63761,8 @@ The options are:
- 1
+
@@ -55630,8 +63785,8 @@ The options are:
- 0
+
@@ -55644,6 +63799,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowUsingDiacriticsHighestValueMostSecure
@@ -55653,8 +63812,8 @@ The options are:
- 3
+
@@ -55667,6 +63826,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55676,8 +63836,8 @@ The options are:
- 0
+
@@ -55690,6 +63850,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AlwaysUseAutoLangDetectionHighestValueMostSecure
@@ -55699,8 +63863,8 @@ The options are:
- 0
+
@@ -55713,6 +63877,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ DisableBackoffHighestValueMostSecure
@@ -55722,8 +63890,8 @@ The options are:
- 0
+
@@ -55736,17 +63904,48 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ DisableRemovableDriveIndexingHighestValueMostSecure
+
+ DoNotUseWebResults
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ DoNotUseWebResults
+ LowestValueMostSecure
+
+ PreventIndexingLowDiskSpaceMB
- 1
+
@@ -55759,6 +63958,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ StopIndexingOnLimitedHardDriveSpaceHighestValueMostSecure
@@ -55768,8 +63971,8 @@ The options are:
- 1
+
@@ -55782,6 +63985,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ PreventRemoteQueriesHighestValueMostSecure
@@ -55791,8 +63998,8 @@ The options are:
- 1
+
@@ -55805,6 +64012,7 @@ The options are:
text/plain
+ desktopHighestValueMostSecure
@@ -55835,8 +64043,8 @@ The options are:
- 1
+
@@ -55859,8 +64067,8 @@ The options are:
- 1
+
@@ -55884,8 +64092,8 @@ The options are:
- 1
+
@@ -55908,8 +64116,8 @@ The options are:
- 1
+
@@ -55933,8 +64141,8 @@ The options are:
- 0
+
@@ -55949,17 +64157,20 @@ The options are:
phone
+ TPM.admx
+ TPM~AT~System~TPMCategory
+ ClearTPMIfNotReady_NameHighestValueMostSecure
- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
+ ConfigureWindowsPasswords
-
- 0
+ 2
+ Configures the use of passwords for Windows features
@@ -55972,6 +64183,32 @@ The options are:
text/plain
+
+ phone
+ LastWrite
+
+
+
+ PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
@@ -55981,8 +64218,8 @@ The options are:
- 0
+
@@ -55995,6 +64232,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -56004,8 +64242,8 @@ The options are:
- 0
+
@@ -56018,6 +64256,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -56027,8 +64266,8 @@ The options are:
- 0
+
@@ -56041,6 +64280,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -56070,8 +64310,8 @@ The options are:
- 1
+
@@ -56095,8 +64335,8 @@ The options are:
- 1
+
@@ -56119,8 +64359,8 @@ The options are:
- 1
+
@@ -56143,8 +64383,8 @@ The options are:
- 1
+
@@ -56167,8 +64407,8 @@ The options are:
- 1
+
@@ -56192,8 +64432,8 @@ The options are:
- 1
+
@@ -56207,6 +64447,10 @@ The options are:
text/plain
+ ControlPanel.admx
+ CheckBox_AllowOnlineTips
+ ControlPanel~AT~ControlPanel
+ AllowOnlineTipsLowestValueMostSecure
@@ -56216,8 +64460,8 @@ The options are:
- 1
+
@@ -56241,8 +64485,8 @@ The options are:
- 1
+
@@ -56266,8 +64510,8 @@ The options are:
- 1
+
@@ -56291,8 +64535,8 @@ The options are:
- 1
+
@@ -56315,8 +64559,8 @@ The options are:
- 1
+
@@ -56340,8 +64584,8 @@ The options are:
- 1
+
@@ -56364,8 +64608,8 @@ The options are:
-
+
@@ -56378,6 +64622,10 @@ The options are:
text/plain
+ ControlPanel.admx
+ SettingsPageVisibilityBox
+ ControlPanel~AT~ControlPanel
+ SettingsPageVisibilityLastWrite
@@ -56407,8 +64655,8 @@ The options are:
- 0
+
@@ -56423,6 +64671,9 @@ The options are:
phone
+ SmartScreen.admx
+ SmartScreen~AT~WindowsComponents~SmartScreen~Shell
+ ConfigureAppInstallControlHighestValueMostSecure
@@ -56432,8 +64683,8 @@ The options are:
- 1
+
@@ -56448,6 +64699,9 @@ The options are:
phone
+ SmartScreen.admx
+ SmartScreen~AT~WindowsComponents~SmartScreen~Shell
+ ShellConfigureSmartScreenHighestValueMostSecure
@@ -56457,8 +64711,8 @@ The options are:
- 0
+
@@ -56473,6 +64727,10 @@ The options are:
phone
+ SmartScreen.admx
+ ShellConfigureSmartScreen_Dropdown
+ SmartScreen~AT~WindowsComponents~SmartScreen~Shell
+ ShellConfigureSmartScreenHighestValueMostSecure
@@ -56502,8 +64760,8 @@ The options are:
- 1
+
@@ -56517,6 +64775,9 @@ The options are:
text/plain
+ Speech.admx
+ Speech~AT~WindowsComponents~Speech
+ AllowSpeechModelUpdateLowestValueMostSecure
@@ -56546,8 +64807,8 @@ The options are:
- This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56571,8 +64832,8 @@ The options are:
- This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56596,8 +64857,8 @@ The options are:
- This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56621,8 +64882,8 @@ The options are:
- This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56646,8 +64907,8 @@ The options are:
- This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56671,8 +64932,8 @@ The options are:
- This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56696,8 +64957,8 @@ The options are:
- This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56721,8 +64982,8 @@ The options are:
- This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56746,8 +65007,8 @@ The options are:
- This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56771,8 +65032,8 @@ The options are:
- This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56791,13 +65052,13 @@ The options are:
- ForceStartSize
+ DisableContextMenus
- 0
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
@@ -56810,6 +65071,35 @@ The options are:
text/plain
+
+ phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ DisableContextMenusInStart
+ LowestValueMostSecure
+
+
+
+ ForceStartSize
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phoneLastWrite
@@ -56820,8 +65110,8 @@ The options are:
- Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app.0
+ Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app.
@@ -56834,6 +65124,7 @@ The options are:
text/plain
+ phoneLastWrite
@@ -56844,8 +65135,8 @@ The options are:
- Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu.0
+ Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu.
@@ -56868,8 +65159,8 @@ The options are:
- Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app.0
+ Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app.
@@ -56893,8 +65184,8 @@ The options are:
- Enabling this policy hides "Hibernate" from appearing in the power button in the start menu.0
+ Enabling this policy hides "Hibernate" from appearing in the power button in the start menu.
@@ -56917,8 +65208,8 @@ The options are:
- Enabling this policy hides "Lock" from appearing in the user tile in the start menu.0
+ Enabling this policy hides "Lock" from appearing in the user tile in the start menu.
@@ -56941,8 +65232,8 @@ The options are:
- Enabling this policy hides the power button from appearing in the start menu.0
+ Enabling this policy hides the power button from appearing in the start menu.
@@ -56965,8 +65256,8 @@ The options are:
- Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app.0
+ Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app.
@@ -56990,8 +65281,8 @@ The options are:
- Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app.0
+ Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app.
@@ -57006,6 +65297,9 @@ The options are:
phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ HideRecentlyAddedAppsLowestValueMostSecure
@@ -57015,8 +65309,8 @@ The options are:
- Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu.0
+ Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu.
@@ -57039,8 +65333,8 @@ The options are:
- Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu.0
+ Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu.
@@ -57063,8 +65357,8 @@ The options are:
- Enabling this policy hides "Sign out" from appearing in the user tile in the start menu.0
+ Enabling this policy hides "Sign out" from appearing in the user tile in the start menu.
@@ -57087,8 +65381,8 @@ The options are:
- Enabling this policy hides "Sleep" from appearing in the power button in the start menu.0
+ Enabling this policy hides "Sleep" from appearing in the power button in the start menu.
@@ -57111,8 +65405,8 @@ The options are:
- Enabling this policy hides "Switch account" from appearing in the user tile in the start menu.0
+ Enabling this policy hides "Switch account" from appearing in the user tile in the start menu.
@@ -57135,8 +65429,8 @@ The options are:
- Enabling this policy hides the user tile from appearing in the start menu.0
+ Enabling this policy hides the user tile from appearing in the start menu.
@@ -57159,8 +65453,8 @@ The options are:
- This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified.
+ This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified.
@@ -57183,8 +65477,8 @@ The options are:
- This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.0
+ This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.
@@ -57208,8 +65502,8 @@ The options are:
-
+
@@ -57223,6 +65517,9 @@ The options are:
text/plainphone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ LockedStartLayoutLastWrite
@@ -57252,8 +65549,8 @@ The options are:
- 1
+
@@ -57266,7 +65563,11 @@ The options are:
text/plain
+ phone
+ StorageHealth.admx
+ StorageHealth~AT~System~StorageHealth
+ SH_AllowDiskHealthModelUpdatesLastWrite
@@ -57276,8 +65577,8 @@ The options are:
-
+
@@ -57323,8 +65624,8 @@ The options are:
- 2
+
@@ -57337,6 +65638,10 @@ The options are:
text/plain
+
+ AllowBuildPreview.admx
+ AllowBuildPreview~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ AllowBuildPreviewLowestValueMostSecure
@@ -57346,8 +65651,8 @@ The options are:
- 0
+
@@ -57370,8 +65675,8 @@ The options are:
- 1
+
@@ -57384,6 +65689,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -57393,8 +65699,8 @@ The options are:
- 1
+
@@ -57408,6 +65714,9 @@ The options are:
text/plain
+ GroupPolicy.admx
+ GroupPolicy~AT~Network~NetworkFonts
+ EnableFontProvidersLowestValueMostSecure
@@ -57417,8 +65726,8 @@ The options are:
- 1
+
@@ -57431,6 +65740,10 @@ The options are:
text/plain
+
+ Sensors.admx
+ Sensors~AT~LocationAndSensors
+ DisableLocation_2LowestValueMostSecure
@@ -57440,8 +65753,8 @@ The options are:
- 1
+
@@ -57464,8 +65777,8 @@ The options are:
- 3
+
@@ -57478,6 +65791,11 @@ The options are:
text/plain
+
+ DataCollection.admx
+ AllowTelemetry
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ AllowTelemetryLowestValueMostSecure
@@ -57487,8 +65805,8 @@ The options are:
- 1
+
@@ -57511,8 +65829,8 @@ The options are:
-
+
@@ -57533,36 +65851,13 @@ The options are:
- DisableEnterpriseAuthProxy
+ ConfigureTelemetryOptInChangeNotification
- This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- LastWrite
-
-
-
- DisableOneDriveFileSync
-
-
-
-
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.0
+
@@ -57576,6 +65871,93 @@ The options are:
text/plain
+ DataCollection.admx
+ ConfigureTelemetryOptInChangeNotification
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ ConfigureTelemetryOptInChangeNotification
+ HighestValueMostSecure
+
+
+
+ ConfigureTelemetryOptInSettingsUx
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DataCollection.admx
+ ConfigureTelemetryOptInSettingsUx
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ ConfigureTelemetryOptInSettingsUx
+ HighestValueMostSecure
+
+
+
+ DisableEnterpriseAuthProxy
+
+
+
+
+ 0
+ This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DataCollection.admx
+ DisableEnterpriseAuthProxy
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ DisableEnterpriseAuthProxy
+ LastWrite
+
+
+
+ DisableOneDriveFileSync
+
+
+
+
+ 0
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ SkyDrive.admx
+ SkyDrive~AT~WindowsComponents~OneDrive
+ PreventOnedriveFileSyncHighestValueMostSecure
@@ -57585,8 +65967,8 @@ The options are:
-
+
@@ -57612,31 +65994,8 @@ The options are:
+ 0Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- LastWrite
-
-
-
- LimitEnhancedDiagnosticDataWindowsAnalytics
-
-
-
-
- This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced) When you configure these policy settings, a Basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: https://go.microsoft.com/fwlink/?linkid=847594. Enabling Enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional Enhanced level telemetry data. This setting has no effect on computers configured to send Full, Basic or Security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy.
- 0
@@ -57650,6 +66009,34 @@ The options are:
text/plain
+ LastWrite
+
+
+
+ LimitEnhancedDiagnosticDataWindowsAnalytics
+
+
+
+
+ 0
+ This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DataCollection.admx
+ LimitEnhancedDiagnosticDataWindowsAnalytics
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ LimitEnhancedDiagnosticDataWindowsAnalyticsLowestValueMostSecure
@@ -57659,8 +66046,8 @@ The options are:
-
+
@@ -57673,6 +66060,237 @@ The options are:
text/plain
+ DataCollection.admx
+ TelemetryProxyName
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ TelemetryProxy
+ LastWrite
+
+
+
+
+ SystemServices
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConfigureHomeGroupListenerServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ HomeGroup Listener
+ LastWrite
+
+
+
+ ConfigureHomeGroupProviderServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ HomeGroup Provider
+ LastWrite
+
+
+
+ ConfigureXboxAccessoryManagementServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Accessory Management Service
+ LastWrite
+
+
+
+ ConfigureXboxLiveAuthManagerServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Live Auth Manager
+ LastWrite
+
+
+
+ ConfigureXboxLiveGameSaveServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Live Game Save
+ LastWrite
+
+
+
+ ConfigureXboxLiveNetworkingServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Live Networking Service
+ LastWrite
+
+
+
+
+ TaskScheduler
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableXboxGameSaveTask
+
+
+
+
+ 0
+ This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phoneLastWrite
@@ -57696,14 +66314,38 @@ The options are:
+
+ AllowHardwareKeyboardTextSuggestions
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LowestValueMostSecure
+
+ AllowIMELogging
- 1
+
@@ -57727,8 +66369,8 @@ The options are:
- 1
+
@@ -57752,8 +66394,8 @@ The options are:
- 1
+
@@ -57777,8 +66419,8 @@ The options are:
- 1
+
@@ -57791,6 +66433,7 @@ The options are:
text/plain
+ phoneHighestValueMostSecure
@@ -57801,8 +66444,8 @@ The options are:
- 1
+
@@ -57826,8 +66469,8 @@ The options are:
- 1
+
@@ -57851,8 +66494,8 @@ The options are:
- 1
+
@@ -57876,8 +66519,8 @@ The options are:
- 1
+
@@ -57900,8 +66543,8 @@ The options are:
- 1
+
@@ -57916,6 +66559,60 @@ The options are:
phone
+ TextInput.admx
+ TextInput~AT~WindowsComponents~TextInput
+ AllowLanguageFeaturesUninstall
+ LowestValueMostSecure
+
+
+
+ AllowLinguisticDataCollection
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TextInput.admx
+ TextInput~AT~WindowsComponents~TextInput
+ AllowLinguisticDataCollection
+ LowestValueMostSecure
+
+
+
+ EnableTouchKeyboardAutoInvokeInDesktopMode
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
@@ -57925,8 +66622,8 @@ The options are:
- 0
+
@@ -57939,6 +66636,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -57948,8 +66646,8 @@ The options are:
- 0
+
@@ -57962,6 +66660,7 @@ The options are:
text/plain
+ phoneHighestValueMostSecure
@@ -57972,8 +66671,8 @@ The options are:
- 0
+
@@ -57986,10 +66685,203 @@ The options are:
text/plain
+ phoneHighestValueMostSecure
+
+ ForceTouchKeyboardDockedState
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardDictationButtonAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardEmojiButtonAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardFullModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardHandwritingModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardNarrowModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardSplitModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardWideModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+ TimeLanguageSettings
@@ -58016,8 +66908,8 @@ The options are:
- 0
+
@@ -58061,8 +66953,8 @@ The options are:
- 17
+
@@ -58075,6 +66967,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ActiveHoursEndTime
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ ActiveHoursLastWrite
@@ -58084,8 +66981,8 @@ The options are:
- 18
+
@@ -58098,6 +66995,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ActiveHoursMaxRange
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ ActiveHoursMaxRangeLastWrite
@@ -58107,8 +67009,8 @@ The options are:
- 8
+
@@ -58121,6 +67023,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ActiveHoursStartTime
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ ActiveHoursLastWrite
@@ -58130,8 +67037,8 @@ The options are:
- 2
+
@@ -58144,6 +67051,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateMode
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58153,8 +67065,8 @@ The options are:
- 0
+
@@ -58167,6 +67079,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AllowAutoWindowsUpdateDownloadOverMeteredNetworkLastWrite
@@ -58176,8 +67092,8 @@ The options are:
- 0
+
@@ -58190,7 +67106,12 @@ The options are:
text/plain
+ phone
+ WindowsUpdate.admx
+ AllowMUUpdateServiceId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58200,8 +67121,8 @@ The options are:
- 1
+
@@ -58224,8 +67145,8 @@ The options are:
- 1
+
@@ -58239,6 +67160,9 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURLLowestValueMostSecure
@@ -58248,8 +67172,8 @@ The options are:
- 7
+
@@ -58262,6 +67186,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoRestartDeadline
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartDeadlineLastWrite
@@ -58271,8 +67200,8 @@ The options are:
- 15
+
@@ -58286,6 +67215,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ AutoRestartNotificationSchd
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartNotificationConfigLastWrite
@@ -58295,8 +67228,8 @@ The options are:
- 1
+
@@ -58309,6 +67242,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoRestartRequiredNotificationDismissal
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartRequiredNotificationDismissalLastWrite
@@ -58318,8 +67256,8 @@ The options are:
- 16
+
@@ -58333,6 +67271,34 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ BranchReadinessLevelId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdates
+ LastWrite
+
+
+
+ ConfigureFeatureUpdateUninstallPeriod
+
+
+
+
+ 10
+ Enable enterprises/IT admin to configure feature update uninstall period
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
@@ -58342,8 +67308,8 @@ The options are:
- 0
+
@@ -58356,6 +67322,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferFeatureUpdatesPeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdatesLastWrite
@@ -58365,8 +67336,8 @@ The options are:
- 0
+
@@ -58379,6 +67350,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferQualityUpdatesPeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferQualityUpdatesLastWrite
@@ -58388,8 +67364,8 @@ The options are:
- 0
+
@@ -58402,6 +67378,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferUpdatePeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgradeLastWrite
@@ -58411,8 +67392,8 @@ The options are:
- 0
+
@@ -58425,6 +67406,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferUpgradePeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgradeLastWrite
@@ -58434,8 +67420,8 @@ The options are:
- 22
+
@@ -58448,6 +67434,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DetectionFrequency_Hour2
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DetectionFrequency_TitleLastWrite
@@ -58457,8 +67448,8 @@ The options are:
- Do not allow update deferral policies to cause scans against Windows Update0
+ Do not allow update deferral policies to cause scans against Windows Update
@@ -58471,6 +67462,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DisableDualScanLastWrite
@@ -58480,8 +67475,8 @@ The options are:
- 14
+
@@ -58494,6 +67489,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ EngagedRestartDeadline
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ EngagedRestartTransitionScheduleLastWrite
@@ -58503,8 +67503,8 @@ The options are:
- 3
+
@@ -58517,6 +67517,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ EngagedRestartSnoozeSchedule
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ EngagedRestartTransitionScheduleLastWrite
@@ -58526,8 +67531,8 @@ The options are:
- 7
+
@@ -58540,6 +67545,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ EngagedRestartTransitionSchedule
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ EngagedRestartTransitionScheduleLastWrite
@@ -58549,8 +67559,8 @@ The options are:
- 0
+
@@ -58563,6 +67573,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ ExcludeWUDriversInQualityUpdateLastWrite
@@ -58572,8 +67586,8 @@ The options are:
- 0
+
@@ -58586,6 +67600,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ CorpWUFillEmptyContentUrls
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURLLastWrite
@@ -58595,8 +67614,8 @@ The options are:
- 0
+
@@ -58619,8 +67638,8 @@ The options are:
- 0
+
@@ -58643,8 +67662,8 @@ The options are:
- 3
+
@@ -58657,6 +67676,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ManagePreviewBuildsId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ ManagePreviewBuildsLastWrite
@@ -58666,8 +67690,8 @@ The options are:
- 0
+
@@ -58680,6 +67704,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ PauseDeferralsId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgradeLastWrite
@@ -58689,8 +67718,8 @@ The options are:
- 0
+
@@ -58703,6 +67732,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ PauseFeatureUpdatesId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdatesLastWrite
@@ -58712,8 +67746,8 @@ The options are:
-
+
@@ -58726,6 +67760,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ PauseFeatureUpdatesStartId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdatesLastWrite
@@ -58735,8 +67773,8 @@ The options are:
- 0
+
@@ -58749,6 +67787,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ PauseQualityUpdatesId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferQualityUpdatesLastWrite
@@ -58758,8 +67801,8 @@ The options are:
-
+
@@ -58772,6 +67815,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ PauseQualityUpdatesStartId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferQualityUpdatesLastWrite
@@ -58781,8 +67828,8 @@ The options are:
- 4
+
@@ -58795,6 +67842,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -58804,8 +67852,8 @@ The options are:
- 0
+
@@ -58818,6 +67866,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferUpgradePeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgradeLastWrite
@@ -58827,8 +67880,8 @@ The options are:
- 0
+
@@ -58841,6 +67894,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -58850,8 +67904,8 @@ The options are:
- 0
+
@@ -58864,6 +67918,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchDay
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58873,8 +67932,8 @@ The options are:
- 1
+
@@ -58887,6 +67946,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchEveryWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58896,8 +67960,8 @@ The options are:
- 0
+
@@ -58910,6 +67974,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchFirstWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58919,8 +67988,8 @@ The options are:
- 0
+
@@ -58933,6 +68002,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ScheduledInstallFourthWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58942,8 +68016,8 @@ The options are:
- 0
+
@@ -58956,6 +68030,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ScheduledInstallSecondWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58965,8 +68044,8 @@ The options are:
- 0
+
@@ -58979,6 +68058,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ScheduledInstallThirdWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58988,8 +68072,8 @@ The options are:
- 3
+
@@ -59002,6 +68086,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchTime
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -59011,8 +68100,8 @@ The options are:
- 15
+
@@ -59026,6 +68115,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ RestartWarn
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ RestartWarnRemindLastWrite
@@ -59035,8 +68128,8 @@ The options are:
- 4
+
@@ -59050,6 +68143,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ RestartWarnRemind
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ RestartWarnRemindLastWrite
@@ -59059,8 +68156,8 @@ The options are:
- 0
+
@@ -59073,6 +68170,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoRestartNotificationSchd
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartNotificationDisableLastWrite
@@ -59082,8 +68184,8 @@ The options are:
- 0
+
@@ -59096,6 +68198,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ SetEDURestartLastWrite
@@ -59105,8 +68211,8 @@ The options are:
- CorpWSUS
+
@@ -59119,6 +68225,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ CorpWUURL_Name
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURLLastWrite
@@ -59128,8 +68238,8 @@ The options are:
-
+
@@ -59143,10 +68253,821 @@ The options are:
text/plainphone
+ WindowsUpdate.admx
+ CorpWUContentHost_Name
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURLLastWrite
+
+ UserRights
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AccessCredentialManagerAsTrustedCaller
+
+
+
+
+
+ This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Access Credential Manager ase a trusted caller
+ LastWrite
+ 0xF000
+
+
+
+ AccessFromNetwork
+
+
+
+
+
+ This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Access this computer from the network
+ LastWrite
+ 0xF000
+
+
+
+ ActAsPartOfTheOperatingSystem
+
+
+
+
+
+ This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Act as part of the operating system
+ LastWrite
+ 0xF000
+
+
+
+ AllowLocalLogOn
+
+
+
+
+
+ This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Allow log on locally
+ LastWrite
+ 0xF000
+
+
+
+ BackupFilesAndDirectories
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Back up files and directories
+ LastWrite
+ 0xF000
+
+
+
+ ChangeSystemTime
+
+
+
+
+
+ This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Change the system time
+ LastWrite
+ 0xF000
+
+
+
+ CreateGlobalObjects
+
+
+
+
+
+ This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create global objects
+ LastWrite
+ 0xF000
+
+
+
+ CreatePageFile
+
+
+
+
+
+ This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create a pagefile
+ LastWrite
+ 0xF000
+
+
+
+ CreatePermanentSharedObjects
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create permanent shared objects
+ LastWrite
+ 0xF000
+
+
+
+ CreateSymbolicLinks
+
+
+
+
+
+ This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create symbolic links
+ LastWrite
+ 0xF000
+
+
+
+ CreateToken
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create a token object
+ LastWrite
+ 0xF000
+
+
+
+ DebugPrograms
+
+
+
+
+
+ This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Debug programs
+ LastWrite
+ 0xF000
+
+
+
+ DenyAccessFromNetwork
+
+
+
+
+
+ This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Deny access to this computer from the network
+ LastWrite
+ 0xF000
+
+
+
+ DenyLocalLogOn
+
+
+
+
+
+ This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Deny log on as a service
+ LastWrite
+ 0xF000
+
+
+
+ DenyRemoteDesktopServicesLogOn
+
+
+
+
+
+ This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Deny log on through Remote Desktop Services
+ LastWrite
+ 0xF000
+
+
+
+ EnableDelegation
+
+
+
+
+
+ This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Enable computer and user accounts to be trusted for delegation
+ LastWrite
+ 0xF000
+
+
+
+ GenerateSecurityAudits
+
+
+
+
+
+ This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Generate security audits
+ LastWrite
+ 0xF000
+
+
+
+ ImpersonateClient
+
+
+
+
+
+ Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+1) The access token that is being impersonated is for this user.
+2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
+3) The requested level is less than Impersonate, such as Anonymous or Identify.
+Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Impersonate a client after authentication
+ LastWrite
+ 0xF000
+
+
+
+ IncreaseSchedulingPriority
+
+
+
+
+
+ This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Increase scheduling priority
+ LastWrite
+ 0xF000
+
+
+
+ LoadUnloadDeviceDrivers
+
+
+
+
+
+ This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Load and unload device drivers
+ LastWrite
+ 0xF000
+
+
+
+ LockMemory
+
+
+
+
+
+ This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Lock pages in memory
+ LastWrite
+ 0xF000
+
+
+
+ ManageAuditingAndSecurityLog
+
+
+
+
+
+ This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Manage auditing and security log
+ LastWrite
+ 0xF000
+
+
+
+ ManageVolume
+
+
+
+
+
+ This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Perform volume maintenance tasks
+ LastWrite
+ 0xF000
+
+
+
+ ModifyFirmwareEnvironment
+
+
+
+
+
+ This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Modify firmware environment values
+ LastWrite
+ 0xF000
+
+
+
+ ModifyObjectLabel
+
+
+
+
+
+ This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Modify an object label
+ LastWrite
+ 0xF000
+
+
+
+ ProfileSingleProcess
+
+
+
+
+
+ This user right determines which users can use performance monitoring tools to monitor the performance of system processes.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Profile single process
+ LastWrite
+ 0xF000
+
+
+
+ RemoteShutdown
+
+
+
+
+
+ This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Force shutdown from a remote system
+ LastWrite
+ 0xF000
+
+
+
+ RestoreFilesAndDirectories
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Restore files and directories
+ LastWrite
+ 0xF000
+
+
+
+ TakeOwnership
+
+
+
+
+
+ This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Take ownership of files or other objects
+ LastWrite
+ 0xF000
+
+
+ Wifi
@@ -59172,8 +69093,8 @@ The options are:
- 1
+
@@ -59187,6 +69108,9 @@ The options are:
text/plain
+ wlansvc.admx
+ wlansvc~AT~Network~WlanSvc_Category~WlanSettings_Category
+ WiFiSenseLowestValueMostSecure
@@ -59196,8 +69120,8 @@ The options are:
- 1
+
@@ -59211,6 +69135,9 @@ The options are:
text/plain
+ NetworkConnections.admx
+ NetworkConnections~AT~Network~NetworkConnections
+ NC_ShowSharedAccessUILowestValueMostSecure
@@ -59220,8 +69147,8 @@ The options are:
- 1
+
@@ -59244,8 +69171,8 @@ The options are:
- 1
+
@@ -59268,8 +69195,8 @@ The options are:
- 1
+
@@ -59292,8 +69219,8 @@ The options are:
- 0
+
@@ -59306,10 +69233,58 @@ The options are:
text/plain
+ HighestValueMostSecureZeroHasNoLimits
+
+ WindowsConnectionManager
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ WCM.admx
+ WCM~AT~Network~WCM_Category
+ WCM_BlockNonDomain
+ LastWrite
+
+
+ WindowsDefenderSecurityCenter
@@ -59335,8 +69310,8 @@ The options are:
-
+
@@ -59350,6 +69325,38 @@ The options are:
text/plainphone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_CompanyName
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_CompanyName
+ LastWrite
+
+
+
+ DisableAccountProtectionUI
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AccountProtection
+ AccountProtection_UILockdownLastWrite
@@ -59359,8 +69366,8 @@ The options are:
- 0
+
@@ -59373,7 +69380,39 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection
+ AppBrowserProtection_UILockdown
+ LastWrite
+
+
+
+ DisableDeviceSecurityUI
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity
+ DeviceSecurity_UILockdownLastWrite
@@ -59383,8 +69422,8 @@ The options are:
- 0
+
@@ -59397,7 +69436,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications
+ Notifications_DisableEnhancedNotificationsLastWrite
@@ -59407,8 +69450,8 @@ The options are:
- 0
+
@@ -59421,7 +69464,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FamilyOptions
+ FamilyOptions_UILockdownLastWrite
@@ -59431,8 +69478,8 @@ The options are:
- 0
+
@@ -59445,7 +69492,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DevicePerformanceHealth
+ DevicePerformanceHealth_UILockdownLastWrite
@@ -59455,8 +69506,8 @@ The options are:
- 0
+
@@ -59469,7 +69520,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FirewallNetworkProtection
+ FirewallNetworkProtection_UILockdownLastWrite
@@ -59479,8 +69534,8 @@ The options are:
- 0
+
@@ -59493,7 +69548,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications
+ Notifications_DisableNotificationsLastWrite
@@ -59503,8 +69562,8 @@ The options are:
- 0
+
@@ -59517,7 +69576,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection
+ VirusThreatProtection_UILockdownLastWrite
@@ -59527,8 +69590,8 @@ The options are:
- 0
+
@@ -59541,7 +69604,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection
+ AppBrowserProtection_DisallowExploitProtectionOverrideLastWrite
@@ -59551,8 +69618,8 @@ The options are:
-
+
@@ -59566,6 +69633,10 @@ The options are:
text/plainphone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_Email
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_EmailLastWrite
@@ -59575,8 +69646,8 @@ The options are:
- 0
+
@@ -59589,7 +69660,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_EnableCustomizedToastsLastWrite
@@ -59599,8 +69674,8 @@ The options are:
- 0
+
@@ -59613,7 +69688,95 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_EnableInAppCustomization
+ LastWrite
+
+
+
+ HideRansomwareDataRecovery
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection
+ VirusThreatProtection_HideRansomwareRecovery
+ LastWrite
+
+
+
+ HideSecureBoot
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity
+ DeviceSecurity_HideSecureBoot
+ LastWrite
+
+
+
+ HideTPMTroubleshooting
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity
+ DeviceSecurity_HideTPMTroubleshootingLastWrite
@@ -59623,8 +69786,8 @@ The options are:
-
+
@@ -59638,6 +69801,10 @@ The options are:
text/plainphone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_Phone
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_PhoneLastWrite
@@ -59647,8 +69814,8 @@ The options are:
-
+
@@ -59662,6 +69829,10 @@ The options are:
text/plainphone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_URL
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_URLLastWrite
@@ -59691,8 +69862,8 @@ The options are:
- 1
+
@@ -59707,6 +69878,9 @@ The options are:
phone
+ WindowsInkWorkspace.admx
+ WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace
+ AllowSuggestedAppsInWindowsInkWorkspaceLowestValueMostSecure
@@ -59716,8 +69890,8 @@ The options are:
- 2
+
@@ -59730,7 +69904,12 @@ The options are:
text/plain
+ phone
+ WindowsInkWorkspace.admx
+ AllowWindowsInkWorkspaceDropdown
+ WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace
+ AllowWindowsInkWorkspaceLowestValueMostSecure
@@ -59760,8 +69939,8 @@ The options are:
-
+
@@ -59787,8 +69966,8 @@ The options are:
-
+
@@ -59808,14 +69987,41 @@ The options are:
LastWrite
+
+ EnumerateLocalUsersOnDomainJoinedComputers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ logon.admx
+ Logon~AT~System~Logon
+ EnumerateLocalUsers
+ LastWrite
+
+ HideFastUserSwitching
- This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations.0
+ This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations.
@@ -59829,9 +70035,86 @@ The options are:
text/plain
+ Logon.admx
+ Logon~AT~System~Logon
+ HideFastUserSwitchingHighestValueMostSecure
+
+ SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ WinLogon.admx
+ WinLogon~AT~WindowsComponents~Logon
+ AutomaticRestartSignOn
+ LastWrite
+
+
+
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ PowerShellExecutionPolicy.admx
+ PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell
+ EnableScriptBlockLogging
+ LastWrite
+
+ WirelessDisplay
@@ -59858,8 +70141,8 @@ The options are:
- This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.1
+ This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.
@@ -59882,8 +70165,8 @@ The options are:
- This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver.1
+ This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver.
@@ -59906,10 +70189,10 @@ The options are:
+ 1This policy allows you to turn off projection from a PC.
If you set it to 0, your PC cannot discover or project to other devices.
If you set it to 1, your PC can discover and project to other devices.
- 1
@@ -59932,10 +70215,10 @@ The options are:
+ 1This policy allows you to turn off projection from a PC over infrastructure.
If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct.
If you set it to 1, your PC can discover and project to other devices over infrastructure.
- 1
@@ -59958,10 +70241,10 @@ The options are:
+ 1This policy setting allows you to turn off projection to a PC
If you set it to 0, your PC isn't discoverable and can't be projected to
If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too.
- 1
@@ -59976,6 +70259,9 @@ The options are:
phone
+ WirelessDisplay.admx
+ WirelessDisplay~AT~WindowsComponents~Connect
+ AllowProjectionToPCLowestValueMostSecure
@@ -59985,10 +70271,10 @@ The options are:
+ 1This policy setting allows you to turn off projection to a PC over infrastructure.
If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct.
If you set it to 1, your PC can be discoverable and can be projected to over infrastructure.
- 1
@@ -60011,8 +70297,8 @@ The options are:
- 1
+
@@ -60035,10 +70321,10 @@ The options are:
+ 0This policy setting allows you to require a pin for pairing.
If you turn this on, the pairing ceremony for new devices will always require a PIN
If you turn it off or don't configure it, a pin isn't required for pairing.
- 0
@@ -60052,6 +70338,9 @@ The options are:
text/plain
+ WirelessDisplay.admx
+ WirelessDisplay~AT~WindowsComponents~Connect
+ RequirePinForPairingLowestValueMostSecure
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index 5e471e50ba..67de432346 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/26/2017
+ms.date: 02/23/2018
---
# Update CSP
@@ -76,7 +76,7 @@ The following diagram shows the Update configuration service provider in tree fo
Supported operation is Get.
**FailedUpdates/*Failed Update Guid*/RevisionNumber**
-
Added in the Windows 10, version 1803. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
@@ -91,7 +91,7 @@ The following diagram shows the Update configuration service provider in tree fo
Supported operation is Get.
**InstalledUpdates/*Installed Update Guid*/RevisionNumber**
-
Added in Windows 10, version 1803. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
@@ -135,7 +135,7 @@ The following diagram shows the Update configuration service provider in tree fo
Supported operation is Get.
**PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber**
-
Added in Windows 10, version 1803. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
@@ -149,6 +149,38 @@ The following diagram shows the Update configuration service provider in tree fo
Supported operation is Get.
+**Rollback**
+Added in Windows 10, version 1803. Node for the rollback operations.
+
+**Rollback/QualityUpdate**
+Added in Windows 10, version 1803. Roll back latest Quality Update, if the machine meets the following conditions:
+
+- Condition 1: Device must be Windows Update for Business Connected
+- Condition 2: Device must be in a Paused State
+- Condition 3: Device must have the Latest Quality Update installed on the device (Current State)
+
+If the conditions are not true, the device will not Roll Back the Latest Quality Update.
+
+**Rollback/FeatureUpdate**
+Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machine meets the following conditions:
+
+- Condition 1: Device must be Windows Update for Business Connnected
+- Condition 2: Device must be in Paused State
+- Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
+- Condition 4: Machine should be within the uninstall period
+
+> [!Note]
+> This only works for Semi Annual Channel Targeted devices.
+
+If the conditions are not true, the device will not Roll Back the Latest Feature Update.
+
+
+**Rollback/QualityUpdateStatus**
+Added in Windows 10, version 1803. Returns the result of last RollBack QualityUpdate operation.
+
+**Rollback/FeatureUpdateStatus**
+Added in Windows 10, version 1803. Returns the result of last RollBack FeatureUpdate operation.
+
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md
index 00056f6fc8..b628189e10 100644
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 02/23/2018
---
# Update DDF file
@@ -16,522 +16,643 @@ This topic shows the OMA DM device description framework (DDF) for the **Update*
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1803.
``` syntax
]>
+ "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+ []>
- 1.2
+ 1.2
+
+ Update
+ ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.1/MDM/Update
+
+
- Update
- ./Vendor/MSFT
+ ApprovedUpdates
+
+
+
+
+
+
+ Approve of specific updates to be installed on a device and accept the EULA associated with the update on behalf of the end-user
+
+
+
+
+
+
+
+
+
+ Approved Updates
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+ UpdateID field of the UpdateIdentity is used to display relevant update metadata to IT and approved updates to be installed on the device
+
+
+
+
+
+
+
+
+
+ Approved Update Guid
+
+
+
- ApprovedUpdates
-
-
-
-
-
-
- Approve of specific updates to be installed on a device and accept the EULA associated with the update on behalf of the end-user
-
-
-
-
-
-
-
-
-
- Approved Updates
-
-
-
-
-
-
-
-
-
-
- UpdateID field of the UpdateIdentity is used to display relevant update metadata to IT and approved updates to be installed on the device
-
-
-
-
-
-
-
-
-
- Approved Update Guid
-
-
-
-
-
- ApprovedTime
-
-
-
-
- 0
- The time updates get approved
-
-
-
-
-
-
-
-
-
- The time update get approved
-
- text/plain
-
-
-
-
-
-
- FailedUpdates
-
-
-
-
- Approved updates that failed to install on a device
-
-
-
-
-
-
-
-
-
- Failed Updates
-
-
-
-
-
-
-
-
-
-
- UpdateID field of the UpdateIdentity GUID that represent an update that failed to install
-
-
-
-
-
-
-
-
-
-
-
-
- Failed Update Guid
-
-
-
-
-
- HResult
-
-
-
-
- 0
- Update failure error code
-
-
-
-
-
-
-
-
-
- HResult
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Update failure status
-
-
-
-
-
-
-
-
-
-
-
-
- Failed update status
-
- text/plain
-
-
-
-
- RevisionNumber
-
-
-
-
- The revision number of the update
-
-
-
-
-
-
-
-
-
- Update's revision number
-
- text/plain
-
-
-
-
-
-
- InstalledUpdates
-
-
-
-
- Updates that are installed on the device
-
-
-
-
-
-
-
-
-
- Installed Updates
-
-
-
-
-
-
-
-
-
-
- UpdateIDs that represent the updates installed on a device
-
-
-
-
-
-
-
-
-
- Installed Update Guid
-
-
-
-
-
- RevisionNumber
-
-
-
-
- The revision number of the update
-
-
-
-
-
-
-
-
-
- Update's revision number
-
- text/plain
-
-
-
-
-
-
- InstallableUpdates
-
-
-
-
- Updates that are applicable and not yet installed on the device
-
-
-
-
-
-
-
-
-
- Installable Updates
-
-
-
-
-
-
-
-
-
-
- UpdateIDs that represent the updates applicable and not installed on a device
-
-
-
-
-
-
-
-
-
- Installable Update Guid
-
-
-
-
-
- Type
-
-
-
-
-
- The UpdateClassification value of the update
- Values:
- 0 = None
- 1 = Security
- 2 = Critical
-
-
-
-
-
-
-
-
-
-
- Type of update
-
- text/plain
-
-
-
-
- RevisionNumber
-
-
-
-
- The revision number of the update
-
-
-
-
-
-
-
-
-
- Update's revision number
-
- text/plain
-
-
-
-
-
-
- PendingRebootUpdates
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Devices in the pending reboot state
-
-
-
-
-
-
-
-
-
-
-
-
- Pending Reboot Update Guid
-
-
-
-
-
- InstalledTime
-
-
-
-
- The time the update installed.
-
-
-
-
-
-
-
-
-
- InstalledTime
-
- text/plain
-
-
-
-
- RevisionNumber
-
-
-
-
- The revision number of the update
-
-
-
-
-
-
-
-
-
- Update's revision number
-
- text/plain
-
-
-
-
-
-
- LastSuccessfulScanTime
-
-
-
-
- 0
- Last success scan time.
-
-
-
-
-
-
-
-
-
-
-
-
- LastSuccessfulScanTime
-
- text/plain
-
-
-
-
- DeferUpgrade
-
-
-
-
- 0
- Defer upgrades till the next upgrade period (at least a few months).
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ ApprovedTime
+
+
+
+
+ 0
+ The time updates get approved
+
+
+
+
+
+
+
+
+
+ The time update get approved
+
+ text/plain
+
+
+
+
+ FailedUpdates
+
+
+
+
+ Approved updates that failed to install on a device
+
+
+
+
+
+
+
+
+
+ Failed Updates
+
+
+
+
+
+
+
+
+
+
+ UpdateID field of the UpdateIdentity GUID that represent an update that failed to install
+
+
+
+
+
+
+
+
+
+
+
+
+ Failed Update Guid
+
+
+
+
+
+ HResult
+
+
+
+
+ 0
+ Update failure error code
+
+
+
+
+
+
+
+
+
+ HResult
+
+ text/plain
+
+
+
+
+ Status
+
+
+
+
+ Update failure status
+
+
+
+
+
+
+
+
+
+
+
+
+ Failed update status
+
+ text/plain
+
+
+
+
+ RevisionNumber
+
+
+
+
+ The revision number of the update
+
+
+
+
+
+
+
+
+
+ Update's revision number
+
+ text/plain
+
+
+
+
+
+
+ InstalledUpdates
+
+
+
+
+ Updates that are installed on the device
+
+
+
+
+
+
+
+
+
+ Installed Updates
+
+
+
+
+
+
+
+
+
+
+ UpdateIDs that represent the updates installed on a device
+
+
+
+
+
+
+
+
+
+ Installed Update Guid
+
+
+
+
+
+ RevisionNumber
+
+
+
+
+ The revision number of the update
+
+
+
+
+
+
+
+
+
+ Update's revision number
+
+ text/plain
+
+
+
+
+
+
+ InstallableUpdates
+
+
+
+
+ Updates that are applicable and not yet installed on the device
+
+
+
+
+
+
+
+
+
+ Installable Updates
+
+
+
+
+
+
+
+
+
+
+ UpdateIDs that represent the updates applicable and not installed on a device
+
+
+
+
+
+
+
+
+
+ Installable Update Guid
+
+
+
+
+
+ Type
+
+
+
+
+
+ The UpdateClassification value of the update
+ Values:
+ 0 = None
+ 1 = Security
+ 2 = Critical
+
+
+
+
+
+
+
+
+
+
+ Type of update
+
+ text/plain
+
+
+
+
+ RevisionNumber
+
+
+
+
+ The revision number of the update
+
+
+
+
+
+
+
+
+
+ Update's revision number
+
+ text/plain
+
+
+
+
+
+
+ PendingRebootUpdates
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Devices in the pending reboot state
+
+
+
+
+
+
+
+
+
+
+
+
+ Pending Reboot Update Guid
+
+
+
+
+
+ InstalledTime
+
+
+
+
+ The time the update installed.
+
+
+
+
+
+
+
+
+
+ InstalledTime
+
+ text/plain
+
+
+
+
+ RevisionNumber
+
+
+
+
+ The revision number of the update
+
+
+
+
+
+
+
+
+
+ Update's revision number
+
+ text/plain
+
+
+
+
+
+
+ LastSuccessfulScanTime
+
+
+
+
+ 0
+ Last success scan time.
+
+
+
+
+
+
+
+
+
+
+
+
+ LastSuccessfulScanTime
+
+ text/plain
+
+
+
+
+ DeferUpgrade
+
+
+
+
+ 0
+ Defer upgrades till the next upgrade period (at least a few months).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Rollback
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ QualityUpdate
+
+
+
+
+
+ Roll back Latest Quality Update, if the machine meets the following conditions:
+ Condition 1: Device must be WUfB Connected
+ Condition 2: Device must be in a Paused State
+ Condition 3: Device must have the Latest Quality Update installed on the device (Current State)
+ If the conditions are not true, the device will not Roll Back the Latest Quality Update.
+
+
+
+
+
+
+
+
+
+
+ QualityUpdate
+
+ text/plain
+
+
+
+
+ FeatureUpdate
+
+
+
+
+
+ Roll Back Latest Feature Update, if the machine meets the following conditions:
+ Condition 1: Device must be WUfB Connnected
+ Condition 2: Device must be in Paused State
+ Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
+ Condition 4: Machine should be within the uninstall period
+ If the conditions are not true, the device will not Roll Back the Latest Feature Update.
+
+
+
+
+
+
+
+
+
+
+ FeatureUpdate
+
+ text/plain
+
+
+
+
+ QualityUpdateStatus
+
+
+
+
+ Returns the result of last RollBack QualityUpdate opearation.
+
+
+
+
+
+
+
+
+
+ QualityUpdateStatus
+
+ text/plain
+
+
+
+
+ FeatureUpdateStatus
+
+
+
+
+ Returns the result of last RollBack FeatureUpdate opearation.
+
+
+
+
+
+
+
+
+
+ FeatureUpdateStatus
+
+ text/plain
+
+
+
+
+
```
diff --git a/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
index 6a85eb7c57..9529995ecb 100644
--- a/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
@@ -278,7 +278,7 @@ Windows Analytics Device Health reports are powered by diagnostic data not inclu
In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic.
-- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/eventname) topic.
+- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic.
- **Some crash dump types.** All crash dump types, except for heap and full dumps.
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index 5be53d2953..2df8e81ee7 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -42,7 +42,7 @@ Specifies the settings you can configure when joining a device to a domain, incl
| --- | --- | --- |
| Account | string | Account to use to join computer to domain |
| AccountOU | string | Name of organizational unit for the computer account |
-| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer less than 15 digits long, or using %SERIALNUMBER% characters in the name.ComputerName is a string with a maximum length of 15 bytes of content:- ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.- ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.- ComputerName cannot use some non-standard characters, such as emoji.Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](http://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) |
+| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer less than 15 digits long, or using %SERIAL% characters in the name.ComputerName is a string with a maximum length of 15 bytes of content:- ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.- ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.- ComputerName cannot use some non-standard characters, such as emoji.Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](http://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) |
| DomainName | string (cannot be empty) | Specify the name of the domain that the device will join |
| Password | string (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. |
@@ -55,4 +55,4 @@ Use these settings to add local user accounts to the device.
| UserName | string (cannot be empty) | Specify a name for the local user account |
| HomeDir | string (cannot be ampty) | Specify the path of the home directory for the user |
| Password | string (cannot be empty) | Specify the password for the user account |
-| UserGroup | string (cannot be empty) | Specify the local user group for the user |
\ No newline at end of file
+| UserGroup | string (cannot be empty) | Specify the local user group for the user |
diff --git a/windows/deployment/update/waas-windows-insider-for-business.md b/windows/deployment/update/waas-windows-insider-for-business.md
index b105a54d56..fe47323f40 100644
--- a/windows/deployment/update/waas-windows-insider-for-business.md
+++ b/windows/deployment/update/waas-windows-insider-for-business.md
@@ -19,7 +19,7 @@ ms.date: 10/27/2017
> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-For many IT pros, gaining visibility into feature updates early, before they’re available to the Semi-Annual Channel, can be both intriguing and valuable for future end user communications as well as provide additional prestaging for Semi-Annual Channel devices. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test devices, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to the Semi-Annual Channel, organizations can test their deployment on test devices for compatibility validation.
+For many IT Pros, gaining visibility into feature updates early, before they’re available to the Semi-Annual Channel, can be both intriguing and valuable for future end user communications as well as provide additional prestaging for Semi-Annual Channel devices. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test devices, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to the Semi-Annual Channel, organizations can test their deployment on test devices for compatibility validation.
The Windows Insider Program for Business gives you the opportunity to:
* Get early access to Windows Insider Preview Builds.
@@ -50,32 +50,50 @@ Below are additional details to accomplish the steps described above.
## Register to the Windows Insider Program for Business
-Registration in the Windows Insider Program for Business can be done individually per user or for an entire organization:
+The first step to installing a Windows 10 Insider Preview build is to register as a Windows Insider. You and your users have two registration options.
-### Individual registration
-
->[!IMPORTANT]
->This step is a prerequisite to register your organization's Azure AD domain.
-
-Navigate to the [**Getting Started**](https://insider.windows.com/en-us/getting-started/) page on [Windows Insider](https://insider.windows.com), go to **Register your organization account** and follow the instructions.
+### Register using your work account (recommended)
+• Registering with your work account in Azure Active Directory (AAD) is required to submit feedback on behalf of your organization and manage Insider Preview builds on other PCs in your domain.
>[!NOTE]
->Make sure your device is [connected to your company's Azure AD subscription](waas-windows-insider-for-business-faq.md#connected-to-aad).
+>Requires Windows 10 Version 1703 or later. Confirm by going to Settings>System>About. If you do not have an AAD account, [find out how to get an Azure Active Directory tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant).
-### Organizational registration
+### Register your personal account
+Use the same account that you use for other Microsoft services. If you don’t have a Microsoft account, it is easy to get one. [Get a Microsoft account](https://account.microsoft.com/account).
-This method enables to your register your entire organization to the Windows Insider Program for Business, to avoid having to register each individual user.
+## Install Windows Insider Preview Builds
+You can install Windows 10 Insider Preview builds directly on individual PCs, manage installation across multiple PCs in an organization, or install on a virtual machine.
->[!IMPORTANT]
->The account performing these steps has to first be registered to the program individually. Additionally, Global Administrator privileges on the Azure AD domain are required.
+### Install on an individual PC
-1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/).
-2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
+1. Open [Windows Insider Program settings](ms-settings:windowsinsider) (On your Windows 10 PC, go to Start > Settings > Update & security > Windows Insider Program). Note: To see this setting, you need to have administrator rights to your PC.
+2. Link your Microsoft or work account that you used to register as a Windows Insider.
+3. Follow the prompts.
->[!NOTE]
->At this point, the Windows Insider Program for Business only supports [Azure Active Directory (Azure AD)](/azure/active-directory/active-directory-whatis) (and not Active Directory on premises) as a corporate authentication method.
->
->If your company is currently not using Azure AD – but has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services – you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business.
+(images/WIP4Biz_Prompts.png)
+
+### Install across multiple PCs
+
+Administrators can install and manage Insider Preview builds centrally across multiple PCs within their domain. Here’s how:
+
+1. **Register your domain with the Windows Insider Program**
+To register a domain, you must be registered in the Windows Insider Program with your work account in Azure Active Directory and you must be assigned a **Global Administrator** role on that Azure AD domain. Also requires Windows 10 Version 1703 or later.
+
+**Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
+
+>[!Notes]
+>• At this point, the Windows Insider Program for Business only supports [Azure Active Directory (Azure AD)](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis) (and not Active Directory on premises) as a corporate authentication method.
+>• If your company has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services – you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business.
+>• If you do not have an AAD account, install Insider Preview builds on individual PCs with a registered Microsoft account.
+
+2. **Apply Policies**
+Once you have registered your enterprise domain, you can control how and when devices receive Windows Insider Preview builds on their devices. See: [How to manage Windows 10 Insider Preview builds across your organization](https://docs.microsoft.com/en-us/windows/deployment/update/waas-windows-insider-for-business).
+
+### Install on a virtual machine.
+This option enables you to run Insider Preview builds without changing the Windows 10 production build already running on a PC.
+• For guidance on setting up virtual machines on your PC see: [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/).
+• To download the latest Insider Preview build to run on your virtual machine see:
+[Windows Insider Preview downloads](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewadvanced)
## Manage Windows Insider Preview builds
@@ -161,6 +179,58 @@ To switch flights prior to Windows 10, version 1709, follow these steps:
* [Windows Insider Slow](#slow)
* [Release Preview](#release-preview)
+## Explore new Insider Preview features
+Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration:
+
+**Objective: Release Channel**
+Feature Exploration: Fast Ring
+Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.
+
+**Objective: Users**
+Feature Exploration: Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary machines.
+
+**Objective: Tasks**
+Feature Exploration:
+• Install and manage Insider Preview builds on PCs (per machine or centrally across multiple machines)
+• Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
+• Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary current features.
+
+**Objective: Feedback**
+Feature Exploration:
+• Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
+• Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
+• [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/)
+
+## Validate Insider Preview builds
+Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/en-us/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits:
+• Get a head start on your Windows validation process
+• Identify issues sooner to accelerate your Windows deployment
+• Engage Microsoft earlier for help with potential compatibility issues
+• Deploy Windows 10 Semi-Annual releases faster and more confidently
+• Maximize the 18-month support Window that comes with each Semi-Annual release.
+
+(images/WIP4Biz_deployment.png)
+Windows 10 Insider Preview builds enable organization to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments.
+
+**Objective: Release Channel**
+Application and infrastructure validation: SLOW RING
+Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production machines by skilled users.
+
+**Objective: Recommended Users**
+Application and infrastructure validation: In addition to Insiders who may have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.
+
+**Objective: Recommended Tasks**
+Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes.
+
+**Objective: Feedback**
+Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues.
+
+**Objective: Guidance**
+Application and infrastructure validation:
+• [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps)
+• [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-monitor)
+• [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)
+
## How to switch between your MSA and your Corporate AAD account
If you were using your Microsoft Account (MSA) to enroll to the Windows Insider Program, switch to your organizational account by going to **Settings > Updates & Security > Windows Insider Program**, and under **Windows Insider account** select **Change**.
@@ -189,7 +259,7 @@ When providing feedback, please consider the following:
### User consent requirement
-With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this:
+Feedback Hub needs the user’s consent to access their AAD account profile data (we read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this:
@@ -271,6 +341,15 @@ Your individual registration with the Insider program will not be impacted. If y
>[!IMPORTANT]
>Once your domain is unregistered, setting the **Branch Readiness Level** to preview builds will have no effect. Return this setting to its unconfigured state in order to enable users to control it from their devices.
+## Community
+
+Windows Insiders are a part of a global community focused on innovation, creativity, and growth in their world.
+
+The Windows Insider program enables you to deepen connections to learn from peers and to connect to subject matter experts (inside Microsoft, Insiders in your local community and in another country) who understand your unique challenges, and who can provide strategic advice on how to maximize your impact.
+
+Collaborate and learn from experts in the [WINDOWS INSIDER TECH COMMUNITY](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram)
+
+
## Additional help resources
* [**Windows Blog**](https://blogs.windows.com/blog/tag/windows-insider-program/) - With each new build release we publish a Windows Blog post that outlines key feature changes as well as known issues that Insiders may encounter while using the build.
@@ -281,10 +360,9 @@ Your individual registration with the Insider program will not be impacted. If y
- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
-
## Related Topics
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
\ No newline at end of file
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index b0a1554fa0..43202e6dde 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -5,8 +5,6 @@
## [Configuration](/windows/configuration)
## [Client management](/windows/client-management)
## [Application management](/windows/application-management)
-## [Identity and access management](/windows/security/identity-protection)
-## [Information protection](/windows/security/information-protection)
-## [Threat protection](/windows/security/threat-protection)
+## [Security](/windows/security)
## [Troubleshooting](/windows/client-management/windows-10-support-solutions)
## [Other Windows client versions](https://docs.microsoft.com/previous-versions/windows)
\ No newline at end of file
diff --git a/windows/hub/index.md b/windows/hub/index.md
index 7d1f965f9d..73eff095ff 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -37,12 +37,6 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
Deployment
-
-
@@ -74,9 +62,9 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
- These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
- - [Read more about Windows as a Service](/windows/deployment/update/waas-overview)
+- [Read more about Windows as a Service](/windows/deployment/update/waas-overview)
## Related topics
[Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index 5fb663bb6a..be893d7fb9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -20,7 +20,7 @@ ms.date: 07/27/2017
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.
-Below, you can find all the infromation you will need to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:
+Below, you can find all the information you will need to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:
1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 8999a8a950..7a1ed6b87c 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -14,6 +14,8 @@ metadata:
keywords: protect, company, data, Windows, device, app, management, Microsoft365, e5, e3
+ ms.localizationpriority: high
+
author: brianlic-msft
ms.author: brianlic
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index fdfc93411b..5734a9da08 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -245,7 +245,7 @@
-### [Reference topics for management and configuration tools](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
+### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
#### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
#### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
#### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
index ad3743b16b..09fefe72e5 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender AV reference for management tools
-description: Learn how Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line can be used to manage Windows Defender AV
+title: Manage Windows Defender AV in your business
+description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line to manage Windows Defender AV
keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -9,12 +9,12 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: iaanw
-ms.author: iawilt
-ms.date: 08/26/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 03/01/2018
---
-# Reference topics for management and configuration tools
+# Manage Windows Defender AV in your business
**Applies to:**
@@ -24,7 +24,7 @@ ms.date: 08/26/2017
- Enterprise security administrators
-Windows Defender Antivirus can be managed and configured with the following tools:
+You can manage and configure Windows Defender Antivirus with the following tools:
- Group Policy
- System Center Configuration Manager and Microsoft Intune
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index 817038ca1c..d75309c31b 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -9,8 +9,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
-author: iaanw
-ms.author: iawilt
+author: andreabichsel
+ms.author: v-anbic
ms.date: 12/12/2017
---
@@ -33,10 +33,10 @@ Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrus
There are four features in Windows Defender EG:
-- [Exploit protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps
-- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware
-- [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices
-- [Controlled folder access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware
+- [Exploit protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV).
+- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV.
+- [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV.
+- [Controlled folder access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV.
You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index fb858f7d9e..b296cc0cdf 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -81,7 +81,7 @@ Additional changes for Windows Hello in Windows 10, version 1607:
### VPN
-- The VPN client can integrate with the Conditional Access Framework, a cloud-pased policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
+- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 3b14218ea5..9beb4709cd 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -122,7 +122,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
-Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787].
+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/en-au/windows/mt782787).
### Windows Defender Antivirus
Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
@@ -169,7 +169,7 @@ For Windows Phone devices, an administrator is able to initiate a remote PIN res
For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**.
-For more details, check out [What if I forget my PIN?](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password#what-if-i-forget-my-pin).
+For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
### Windows Information Protection (WIP) and Azure Active Directory (Azure AD)
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
4
- 
- 
- 
-