diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index e929807ac8..8c297f234b 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -167,6 +167,70 @@ ### [Policy CSP](policy-configuration-service-provider.md) #### [Policy DDF file](policy-ddf-file.md) #### [ApplicationRestrictions XSD](applicationrestrictions-xsd.md) +#### [AboveLock](policy-csp-abovelock.md) +#### [Accounts](policy-csp-accounts.md) +#### [ActiveXControls](policy-csp-activexcontrols.md) +#### [ApplicationDefaults](policy-csp-applicationdefaults.md) +#### [ApplicationManagement](policy-csp-applicationmanagement.md) +#### [AppVirtualization](policy-csp-appvirtualization.md) +#### [AttachmentManager](policy-csp-attachmentmanager.md) +#### [Authentication](policy-csp-authentication.md) +#### [Autoplay](policy-csp-autoplay.md) +#### [Bitlocker](policy-csp-bitlocker.md) +#### [Bluetooth](policy-csp-bluetooth.md) +#### [Browser](policy-csp-browser.md) +#### [Camera](policy-csp-camera.md) +#### [Cellular](policy-csp-cellular.md) +#### [Connectivity](policy-csp-connectivity.md) +#### [CredentialProviders](policy-csp-credentialproviders.md) +#### [CredentialsUI](policy-csp-credentialsui.md) +#### [Cryptography](policy-csp-cryptography.md) +#### [DataProtection](policy-csp-dataprotection.md) +#### [DataUsage](policy-csp-datausage.md) +#### [Defender](policy-csp-defender.md) +#### [DeliveryOptimization](policy-csp-deliveryoptimization.md) +#### [Desktop](policy-csp-desktop.md) +#### [DeviceGuard](policy-csp-deviceguard.md) +#### [DeviceInstallation](policy-csp-deviceinstallation.md) +#### [DeviceLock](policy-csp-devicelock.md) +#### [Display](policy-csp-display.md) +#### [EnterpriseCloudPrint](policy-csp-enterprisecloudprint.md) +#### [ErrorReporting](policy-csp-errorreporting.md) +#### [EventLogService](policy-csp-eventlogservice.md) +#### [Experience](policy-csp-experience.md) +#### [Games](policy-csp-games.md) +#### [InternetExplorer](policy-csp-internetexplorer.md) +#### [Kerberos](policy-csp-kerberos.md) +#### [Licensing](policy-csp-licensing.md) +#### [Location](policy-csp-location.md) +#### [LockDown](policy-csp-lockdown.md) +#### [Maps](policy-csp-maps.md) +#### [Messaging](policy-csp-messaging.md) +#### [NetworkIsolation](policy-csp-networkisolation.md) +#### [Notifications](policy-csp-notifications.md) +#### [Power](policy-csp-power.md) +#### [Printers](policy-csp-printers.md) +#### [Privacy](policy-csp-privacy.md) +#### [RemoteAssistance](policy-csp-remoteassistance.md) +#### [RemoteDesktopServices](policy-csp-remotedesktopservices.md) +#### [RemoteManagement](policy-csp-remotemanagement.md) +#### [RemoteProcedureCall](policy-csp-remoteprocedurecall.md) +#### [RemoteShell](policy-csp-remoteshell.md) +#### [Search](policy-csp-search.md) +#### [Security](policy-csp-security.md) +#### [Settings](policy-csp-settings.md) +#### [SmartScreen](policy-csp-smartscreen.md) +#### [Speech](policy-csp-speech.md) +#### [Start](policy-csp-start.md) +#### [Storage](policy-csp-storage.md) +#### [System](policy-csp-system.md) +#### [TextInput](policy-csp-textinput.md) +#### [TimeLanguageSettings](policy-csp-timelanguagesettings.md) +#### [Update](policy-csp-update.md) +#### [Wifi](policy-csp-wifi.md) +#### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md) +#### [WindowsLogon](policy-csp-windowslogon.md) +#### [WirelessDisplay](policy-csp-wirelessdisplay.md) ### [PolicyManager CSP](policymanager-csp.md) ### [Provisioning CSP](provisioning-csp.md) ### [PROXY CSP](proxy-csp.md) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 85911e3a79..baf0b42bec 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -114,21434 +114,3027 @@ The following diagram shows the Policy configuration service provider in tree fo > [!Note] > The policies supported in Windows 10 S is the same as in Windows 10 Pro, except that policies under AppliationsDefaults are not suppported in Windows 10 S. - -
- -## Policies - - -**AboveLock/AllowActionCenterNotifications** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - -

Specifies whether to allow Action Center notifications above the device lock screen. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**AboveLock/AllowCortanaAboveLock** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**AboveLock/AllowToasts** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether to allow toast notifications above the device lock screen. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Accounts/AllowAddingNonMicrosoftAccountsManually** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether user is allowed to add non-MSA email accounts. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - -> [!NOTE] -> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md). - - - - -**Accounts/AllowMicrosoftAccountConnection** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Accounts/AllowMicrosoftAccountSignInAssistant** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. - -

The following list shows the supported values: - -- 0 – Disabled. -- 1 (default) – Manual start. - - - - -**Accounts/DomainNamesForEmailSync** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies a list of the domains that are allowed to sync email on the device. - -

The data type is a string. - -

The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov". - - - - -**ActiveXControls/ApprovedInstallationSites** - - -This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL. - -If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. - -If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. - -Note: Wild card characters cannot be used when specifying the host URLs. - - - -ADMX Info: -- GP english name: *Approved Installation Sites for ActiveX Controls* -- GP name: *ApprovedActiveXInstallSites* -- GP path: *Windows Components/ActiveX Installer Service* -- GP ADMX file name: *ActiveXInstallService.admx* - - - - -**AppVirtualization/AllowAppVClient** - - -This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. - - - -ADMX Info: -- GP english name: *Enable App-V Client* -- GP name: *EnableAppV* -- GP path: *System/App-V* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowDynamicVirtualization** - - -Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. - - - -ADMX Info: -- GP english name: *Enable Dynamic Virtualization* -- GP name: *Virtualization_JITVEnable* -- GP path: *System/App-V/Virtualization* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowPackageCleanup** - - -Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. - - - -ADMX Info: -- GP english name: *Enable automatic cleanup of unused appv packages* -- GP name: *PackageManagement_AutoCleanupEnable* -- GP path: *System/App-V/Package Management* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowPackageScripts** - - -Enables scripts defined in the package manifest of configuration files that should run. - - - -ADMX Info: -- GP english name: *Enable Package Scripts* -- GP name: *Scripting_Enable_Package_Scripts* -- GP path: *System/App-V/Scripting* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowPublishingRefreshUX** - - -Enables a UX to display to the user when a publishing refresh is performed on the client. - - - -ADMX Info: -- GP english name: *Enable Publishing Refresh UX* -- GP name: *Enable_Publishing_Refresh_UX* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowReportingServer** - - -Reporting Server URL: Displays the URL of reporting server. - -Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM. - -Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load. - -Repeat reporting for every (days): The periodical interval in days for sending the reporting data. - -Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again. - -Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. - - - -ADMX Info: -- GP english name: *Reporting Server* -- GP name: *Reporting_Server_Policy* -- GP path: *System/App-V/Reporting* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowRoamingFileExclusions** - - -Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. - - - -ADMX Info: -- GP english name: *Roaming File Exclusions* -- GP name: *Integration_Roaming_File_Exclusions* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowRoamingRegistryExclusions** - - -Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. - - - -ADMX Info: -- GP english name: *Roaming Registry Exclusions* -- GP name: *Integration_Roaming_Registry_Exclusions* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowStreamingAutoload** - - -Specifies how new packages should be loaded automatically by App-V on a specific computer. - - - -ADMX Info: -- GP english name: *Specify what to load in background (aka AutoLoad)* -- GP name: *Steaming_Autoload* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/ClientCoexistenceAllowMigrationmode** - - -Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. - - - -ADMX Info: -- GP english name: *Enable Migration Mode* -- GP name: *Client_Coexistence_Enable_Migration_mode* -- GP path: *System/App-V/Client Coexistence* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/IntegrationAllowRootGlobal** - - -Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. - - - -ADMX Info: -- GP english name: *Integration Root User* -- GP name: *Integration_Root_User* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/IntegrationAllowRootUser** - - -Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. - - - -ADMX Info: -- GP english name: *Integration Root Global* -- GP name: *Integration_Root_Global* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/PublishingAllowServer1** - - -Publishing Server Display Name: Displays the name of publishing server. - -Publishing Server URL: Displays the URL of publishing server. - -Global Publishing Refresh: Enables global publishing refresh (Boolean). - -Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - -Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - -Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - -User Publishing Refresh: Enables user publishing refresh (Boolean). - -User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - -User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - -User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - -ADMX Info: -- GP english name: *Publishing Server 1 Settings* -- GP name: *Publishing_Server1_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/PublishingAllowServer2** - - -Publishing Server Display Name: Displays the name of publishing server. - -Publishing Server URL: Displays the URL of publishing server. - -Global Publishing Refresh: Enables global publishing refresh (Boolean). - -Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - -Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - -Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - -User Publishing Refresh: Enables user publishing refresh (Boolean). - -User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - -User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - -User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - -ADMX Info: -- GP english name: *Publishing Server 2 Settings* -- GP name: *Publishing_Server2_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/PublishingAllowServer3** - - -Publishing Server Display Name: Displays the name of publishing server. - -Publishing Server URL: Displays the URL of publishing server. - -Global Publishing Refresh: Enables global publishing refresh (Boolean). - -Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - -Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - -Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - -User Publishing Refresh: Enables user publishing refresh (Boolean). - -User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - -User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - -User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - -ADMX Info: -- GP english name: *Publishing Server 3 Settings* -- GP name: *Publishing_Server3_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/PublishingAllowServer4** - - -Publishing Server Display Name: Displays the name of publishing server. - -Publishing Server URL: Displays the URL of publishing server. - -Global Publishing Refresh: Enables global publishing refresh (Boolean). - -Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - -Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - -Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - -User Publishing Refresh: Enables user publishing refresh (Boolean). - -User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - -User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - -User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - -ADMX Info: -- GP english name: *Publishing Server 4 Settings* -- GP name: *Publishing_Server4_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/PublishingAllowServer5** - - -Publishing Server Display Name: Displays the name of publishing server. - -Publishing Server URL: Displays the URL of publishing server. - -Global Publishing Refresh: Enables global publishing refresh (Boolean). - -Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - -Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - -Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - -User Publishing Refresh: Enables user publishing refresh (Boolean). - -User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - -User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - -User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - -ADMX Info: -- GP english name: *Publishing Server 5 Settings* -- GP name: *Publishing_Server5_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** - - -Specifies the path to a valid certificate in the certificate store. - - - -ADMX Info: -- GP english name: *Certificate Filter For Client SSL* -- GP name: *Streaming_Certificate_Filter_For_Client_SSL* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowHighCostLaunch** - - -This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). - - - -ADMX Info: -- GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection* -- GP name: *Streaming_Allow_High_Cost_Launch* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowLocationProvider** - - -Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. - - - -ADMX Info: -- GP english name: *Location Provider* -- GP name: *Streaming_Location_Provider* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowPackageInstallationRoot** - - -Specifies directory where all new applications and updates will be installed. - - - -ADMX Info: -- GP english name: *Package Installation Root* -- GP name: *Streaming_Package_Installation_Root* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowPackageSourceRoot** - - -Overrides source location for downloading package content. - - - -ADMX Info: -- GP english name: *Package Source Root* -- GP name: *Streaming_Package_Source_Root* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowReestablishmentInterval** - - -Specifies the number of seconds between attempts to reestablish a dropped session. - - - -ADMX Info: -- GP english name: *Reestablishment Interval* -- GP name: *Streaming_Reestablishment_Interval* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowReestablishmentRetries** - - -Specifies the number of times to retry a dropped session. - - - -ADMX Info: -- GP english name: *Reestablishment Retries* -- GP name: *Streaming_Reestablishment_Retries* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingSharedContentStoreMode** - - -Specifies that streamed package contents will be not be saved to the local hard disk. - - - -ADMX Info: -- GP english name: *Shared Content Store (SCS) mode* -- GP name: *Streaming_Shared_Content_Store_Mode* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingSupportBranchCache** - - -If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache - - - -ADMX Info: -- GP english name: *Enable Support for BranchCache* -- GP name: *Streaming_Support_Branch_Cache* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingVerifyCertificateRevocationList** - - -Verifies Server certificate revocation status before streaming using HTTPS. - - - -ADMX Info: -- GP english name: *Verify certificate revocation list* -- GP name: *Streaming_Verify_Certificate_Revocation_List* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/VirtualComponentsAllowList** - - -Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components. - - - -ADMX Info: -- GP english name: *Virtual Component Process Allow List* -- GP name: *Virtualization_JITVAllowList* -- GP path: *System/App-V/Virtualization* -- GP ADMX file name: *appv.admx* - - - - -**ApplicationDefaults/DefaultAssociationsConfiguration** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. - -

If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. - -

To create create the SyncML, follow these steps: -

    -
  1. Install a few apps and change your defaults.
    2. -
  2. From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"
    3. -
  3. Take the XML output and put it through your favorite base64 encoder app.
    4. -
  4. Paste the base64 encoded XML into the SyncML
    5. -
- -

Here is an example output from the dism default association export command: - -``` syntax - - - - - - - -Here is the base64 encoded result: - -``` syntax -PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo= -``` - -

Here is the SyncMl example: - -``` syntax - - - - - 101 - - - chr - text/plain - - - ./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration - - PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo= - - - - - - -``` - - - - -**ApplicationManagement/AllowAllTrustedApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether non Windows Store apps are allowed. - -

The following list shows the supported values: - -- 0 – Explicit deny. -- 1 – Explicit allow unlock. -- 65535 (default) – Not configured. - -

Most restricted value is 0. - - - - -**ApplicationManagement/AllowAppStoreAutoUpdate** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether automatic update of apps from Windows Store are allowed. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**ApplicationManagement/AllowDeveloperUnlock** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether developer unlock is allowed. - -

The following list shows the supported values: - -- 0 – Explicit deny. -- 1 – Explicit allow unlock. -- 65535 (default) – Not configured. - -

Most restricted value is 0. - - - - -**ApplicationManagement/AllowGameDVR** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - -

Specifies whether DVR and broadcasting is allowed. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**ApplicationManagement/AllowSharedUserAppData** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether multiple users of the same app can share data. - -

The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - -

Most restricted value is 0. - - - - -**ApplicationManagement/AllowStore** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -

Specifies whether app store is allowed at the device. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**ApplicationManagement/ApplicationRestrictions** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. - -  -

An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md). - -> [!NOTE] -> When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps. -> -> Here's additional guidance for the upgrade process: -> -> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents). -> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it. -> - In the SyncML, you must use lowercase product ID. -> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error. -> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents). - - -

An application that is running may not be immediately terminated. - -

Value type is chr. - -

Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies. - - - - -**ApplicationManagement/DisableStoreOriginatedApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcheck mark1check mark1cross markcross mark
- - - -

Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded. - -

The following list shows the supported values: - -- 0 (default) – Enable launch of apps. -- 1 – Disable launch of apps. - - - - -**ApplicationManagement/RequirePrivateStoreOnly** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcheck markcheck markcheck markcheck mark
- - - -

Allows disabling of the retail catalog and only enables the Private store. - -> [!IMPORTANT] -> This node must be accessed using the following paths: -> -> - **./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly** to set the policy. -> - **./User/Vendor/MSFT/Policy/Result/ApplicationManagement/RequirePrivateStoreOnly** to get the result. - - -

The following list shows the supported values: - -- 0 (default) – Allow both public and Private store. -- 1 – Only Private store is enabled. - -

This is a per user policy. - -

Most restricted value is 1. - - - - -**ApplicationManagement/RestrictAppDataToSystemVolume** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether application data is restricted to the system drive. - -

The following list shows the supported values: - -- 0 (default) – Not restricted. -- 1 – Restricted. - -

Most restricted value is 1. - - - - -**ApplicationManagement/RestrictAppToSystemVolume** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether the installation of applications is restricted to the system drive. - -

The following list shows the supported values: - -- 0 (default) – Not restricted. -- 1 – Restricted. - -

Most restricted value is 1. - - - - -**AttachmentManager/DoNotPreserveZoneInformation** - - -This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments. - -If you enable this policy setting, Windows does not mark file attachments with their zone information. - -If you disable this policy setting, Windows marks file attachments with their zone information. - -If you do not configure this policy setting, Windows marks file attachments with their zone information. - - - -ADMX Info: -- GP english name: *Do not preserve zone information in file attachments* -- GP name: *AM_MarkZoneOnSavedAtttachments* -- GP path: *Windows Components/Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* - - - - -**AttachmentManager/HideZoneInfoMechanism** - - -This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening. - -If you enable this policy setting, Windows hides the check box and Unblock button. - -If you disable this policy setting, Windows shows the check box and Unblock button. - -If you do not configure this policy setting, Windows hides the check box and Unblock button. - - - -ADMX Info: -- GP english name: *Hide mechanisms to remove zone information* -- GP name: *AM_RemoveZoneInfo* -- GP path: *Windows Components/Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* - - - - -**AttachmentManager/NotifyAntivirusPrograms** - - -This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. - -If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened. - -If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. - -If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. - - - -ADMX Info: -- GP english name: *Notify antivirus programs when opening attachments* -- GP name: *AM_CallIOfficeAntiVirus* -- GP path: *Windows Components/Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* - - - - -**Authentication/AllowEAPCertSSO** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources. - -> [!IMPORTANT] -> This node must be accessed using the following paths: -> -> - **./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO** to set the policy. -> - **./User/Vendor/MSFT/Policy/Result/Authentication/AllowEAPCertSSO** to get the result. - - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Authentication/AllowFastReconnect** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allows EAP Fast Reconnect from being attempted for EAP Method TLS. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Authentication/AllowSecondaryAuthenticationDevice** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 – Allowed. - -

The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD). - - - - -**Autoplay/DisallowAutoplayForNonVolumeDevices** - - -This policy setting disallows AutoPlay for MTP devices like cameras or phones. - -If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. - -If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. - - - -ADMX Info: -- GP english name: *Disallow Autoplay for non-volume devices* -- GP name: *NoAutoplayfornonVolume* -- GP path: *Windows Components/AutoPlay Policies* -- GP ADMX file name: *AutoPlay.admx* - - - - -**Autoplay/SetDefaultAutoRunBehavior** - - -This policy setting sets the default behavior for Autorun commands. - -Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. - -Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. - -This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. - -If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to: - -a) Completely disable autorun commands, or -b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command. - -If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. - - - -ADMX Info: -- GP english name: *Set the default behavior for AutoRun* -- GP name: *NoAutorun* -- GP path: *Windows Components/AutoPlay Policies* -- GP ADMX file name: *AutoPlay.admx* - - - - -**Autoplay/TurnOffAutoPlay** - - -This policy setting allows you to turn off the Autoplay feature. - -Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately. - -Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives. - -Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices. - -If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives. - -This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default. - -If you disable or do not configure this policy setting, AutoPlay is enabled. - -Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. - - - -ADMX Info: -- GP english name: *Turn off Autoplay* -- GP name: *Autorun* -- GP path: *Windows Components/AutoPlay Policies* -- GP ADMX file name: *AutoPlay.admx* - - - - -**Bitlocker/EncryptionMethod** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies the BitLocker Drive Encryption method and cipher strength. - -> [!NOTE] -> XTS-AES 128-bit and XTS-AES 256-bit values are only supported on Windows 10 for desktop. - -

The following list shows the supported values: - -- 3 - AES-CBC 128-bit -- 4 - AES-CBC 256-bit -- 6 - XTS-AES 128-bit (Desktop only) -- 7 - XTS-AES 256-bit (Desktop only) - - - - -**Bluetooth/AllowAdvertising** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether the device can send out Bluetooth advertisements. - -

The following list shows the supported values: - -- 0 – Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral. -- 1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral. - -

If this is not set or it is deleted, the default value of 1 (Allow) is used. - -

Most restricted value is 0. - - - - -**Bluetooth/AllowDiscoverableMode** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether other Bluetooth-enabled devices can discover the device. - -

The following list shows the supported values: - -- 0 – Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device. -- 1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it. - -

If this is not set or it is deleted, the default value of 1 (Allow) is used. - -

Most restricted value is 0. - - - - -**Bluetooth/AllowPrepairing** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
- - - -

Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default)– Allowed. - - - - -**Bluetooth/LocalDeviceName** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Sets the local Bluetooth device name. - -

If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified. - -

If this policy is not set or it is deleted, the default local radio name is used. - - - - -**Bluetooth/ServicesAllowedList** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. - -

The default value is an empty string. - - - - -**Browser/AllowAddressBarDropdown** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.  - -> [!NOTE] -> Disabling this setting turns off the address bar drop-down functionality. Because search suggestions are shown in the drop-down list, this setting takes precedence over the Browser/AllowSearchSuggestionsinAddressBar setting. - -

The following list shows the supported values: - -- 0 – Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."  -- 1 (default) – Allowed. Address bar drop-down is enabled. - -

Most restricted value is 0. - - - - -**Browser/AllowAutofill** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -

Specifies whether autofill on websites is allowed. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - -

To verify AllowAutofill is set to 0 (not allowed): - -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Save form entries** is greyed out. - - - - -**Browser/AllowBrowser** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. - - -

Specifies whether the browser is allowed on the device. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - -

When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator. - - - - -**Browser/AllowCookies** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether cookies are allowed. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - -

To verify AllowCookies is set to 0 (not allowed): - -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Cookies** is greyed out. - - - - -**Browser/AllowDeveloperTools** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Browser/AllowDoNotTrack** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether Do Not Track headers are allowed. - -

The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - -

Most restricted value is 1. - -

To verify AllowDoNotTrack is set to 0 (not allowed): - -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Send Do Not Track requests** is greyed out. - - - - -**Browser/AllowExtensions** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -

Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Browser/AllowFlash** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -

Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Browser/AllowFlashClickToRun** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. - -

The following list shows the supported values: - -- 0 – Adobe Flash content is automatically loaded and run by Microsoft Edge. -- 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. - - - - -**Browser/AllowInPrivate** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether InPrivate browsing is allowed on corporate networks. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Browser/AllowMicrosoftCompatibilityList** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly. -By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat". - -

If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation. - -

The following list shows the supported values: - -- 0 – Not enabled. -- 1 (default) – Enabled. - -

Most restricted value is 0. - - - - -**Browser/AllowPasswordManager** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether saving and managing passwords locally on the device is allowed. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - -

To verify AllowPasswordManager is set to 0 (not allowed): - -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out. - - - - -**Browser/AllowPopups** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -

Specifies whether pop-up blocker is allowed or enabled. - -

The following list shows the supported values: - -- 0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed. -- 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked. - -

Most restricted value is 1. - -

To verify AllowPopups is set to 0 (not allowed): - -1. Open Microsoft Edge. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Block pop-ups** is greyed out. - - - - -**Browser/AllowSearchEngineCustomization** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.  -   -

If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).  - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Browser/AllowSearchSuggestionsinAddressBar** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether search suggestions are allowed in the address bar. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Browser/AllowSmartScreen** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether Windows Defender SmartScreen is allowed. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 1. - -

To verify AllowSmartScreen is set to 0 (not allowed): - -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out. - - - - -**Browser/ClearBrowsingDataOnExit** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge. - -

The following list shows the supported values: - -- 0 – (default) Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings. -- 1 – Browsing data is cleared on exit. - -

Most restricted value is 1. - -

To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): - -1. Open Microsoft Edge and browse to websites. -2. Close the Microsoft Edge window. -3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history. - - - - -**Browser/ConfigureAdditionalSearchEngines** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.  -  -

If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). -Employees cannot remove these search engines, but they can set any one as the default. This setting does not affect the default search engine.  - -

If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine. -  -> [!IMPORTANT] -> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled.  - -

The following list shows the supported values: - -- 0 (default) – Additional search engines are not allowed. -- 1 – Additional search engines are allowed. - -

Most restricted value is 0. - - - - -**Browser/DisableLockdownOfStartPages** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.  -   -> [!NOTE] -> This policy has no effect when the Browser/HomePages policy is not configured.  -  -> [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy). - -

The following list shows the supported values: - -- 0 (default) – Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.  -- 1 – Disable lockdown of the Start pages and allow users to modify them.   - -

Most restricted value is 0. - - - - -**Browser/EnterpriseModeSiteList** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -  -

Allows the user to specify an URL of an enterprise site list. - -

The following list shows the supported values: - -- Not configured. The device checks for updates from Microsoft Update. -- Set to a URL location of the enterprise site list. - - - - -**Browser/EnterpriseSiteListServiceUrl** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -> [!IMPORTANT] -> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist). - - - - -**Browser/FirstRunURL** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - - -

Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time. - -

The data type is a string. - -

The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”. - - - - -**Browser/HomePages** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile. - -

Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **<** and **>**. For example, "<support.contoso.com><support.microsoft.com>" - -

Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users. - -

Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "<about:blank>" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL.  - -> [!NOTE] -> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings. - - - - -**Browser/PreventAccessToAboutFlagsInMicrosoftEdge** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -

Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features. - -

The following list shows the supported values: - -- 0 (default) – Users can access the about:flags page in Microsoft Edge. -- 1 – Users can't access the about:flags page in Microsoft Edge. - - - - -**Browser/PreventFirstRunPage** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening. - -

The following list shows the supported values: - -- 0 (default) – Employees see the First Run webpage. -- 1 – Employees don't see the First Run webpage. - -

Most restricted value is 1. - - - - -**Browser/PreventLiveTileDataCollection** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. - -

The following list shows the supported values: - -- 0 (default) – Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge. -- 1 – Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge. - -

Most restricted value is 1. - - - - -**Browser/PreventSmartScreenPromptOverride** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. - -

The following list shows the supported values: - -- 0 (default) – Off. -- 1 – On. - -

Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site. - - - - -**Browser/PreventSmartScreenPromptOverrideForFiles** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process. - -

The following list shows the supported values: - -- 0 (default) – Off. -- 1 – On. - - - - -**Browser/PreventUsingLocalHostIPAddressForWebRTC** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an

user’s localhost IP address while making phone calls using WebRTC. - -

The following list shows the supported values: - -- 0 (default) – The localhost IP address is shown. -- 1 – The localhost IP address is hidden. - - - - -**Browser/SendIntranetTraffictoInternetExplorer** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Specifies whether to send intranet traffic over to Internet Explorer. - -

The following list shows the supported values: - -- 0 (default) – Intranet traffic is sent to Internet Explorer. -- 1 – Intranet traffic is sent to Microsoft Edge. - -

Most restricted value is 0. - - - - -**Browser/SetDefaultSearchEngine** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy. - -

You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING.  -  -

If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.    -  -> [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy). - -

The following list shows the supported values: - -- 0 (default) - The default search engine is set to the one specified in App settings. -- 1 - Allows you to configure the default search engine for your employees. - -

Most restricted value is 0. - - - - -**Browser/ShowMessageWhenOpeningSitesInInternetExplorer** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List. - -

The following list shows the supported values: - -- 0 (default) – Interstitial pages are not shown. -- 1 – Interstitial pages are shown. - -

Most restricted value is 0. - - - - -**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -> -> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices. - -

The following list shows the supported values: - -- 0 (default) – Synchronization is off. -- 1 – Synchronization is on. - -

To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge: - -

    -
  1. Open Internet Explorer and add some favorites. -
  2. Open Microsoft Edge, then select Hub > Favorites. -
  3. Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge. -
- - - - -**Camera/AllowCamera** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Disables or enables the camera. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Connectivity/AllowBluetooth** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allows the user to enable Bluetooth or restrict access. - -

The following list shows the supported values: - -- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on. -- 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. - -> [!NOTE] ->  This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. - -- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. - -

If this is not set or it is deleted, the default value of 2 (Allow) is used. - -

Most restricted value is 0. - - - - -**Connectivity/AllowCellularData** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -

Allows the cellular data channel on the device. Device reboot is not required to enforce the policy. - -

The following list shows the supported values: - -- 0 – Do not allow the cellular data channel. The user can turn it on. This value is not supported in Windows 10, version 1511. -- 1 (default) – Allow the cellular data channel. The user can turn it off. -- 2 - Allow the cellular data channel. The user cannot turn it off. - - - - -**Connectivity/AllowCellularDataRoaming** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy. - -

The following list shows the supported values: - -- 0 – Do not allow cellular data roaming. The user can turn it on. This value is not supported in Windows 10, version 1511. -- 1 (default) – Allow cellular data roaming. -- 2 - Allow cellular data roaming on. The user cannot turn it off. - -

Most restricted value is 0. - -

To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. - -

To validate on mobile devices, do the following: - -1. Go to Cellular & SIM. -2. Click on the SIM (next to the signal strength icon) and select **Properties**. -3. On the Properties page, select **Data roaming options**. - - - - -**Connectivity/AllowConnectedDevices** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark2check mark2check mark2check mark2check mark2check mark2check mark2
- - - -> [!NOTE] -> This policy requires reboot to take effect. - -

Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. - -

The following list shows the supported values: - -- 1 (default) - Allow (CDP service available). -- 0 - Disable (CDP service not available). - - - - -**Connectivity/AllowNFC** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - - -

Allows or disallows near field communication (NFC) on the device. - -

The following list shows the supported values: - -- 0 – Do not allow NFC capabilities. -- 1 (default) – Allow NFC capabilities. - -

Most restricted value is 0. - - - - -**Connectivity/AllowUSBConnection** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - - -

Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. - -

Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Connectivity/AllowVPNOverCellular** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies what type of underlying connections VPN is allowed to use. - -

The following list shows the supported values: - -- 0 – VPN is not allowed over cellular. -- 1 (default) – VPN can use any connection, including cellular. - -

Most restricted value is 0. - - - - -**Connectivity/AllowVPNRoamingOverCellular** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Prevents the device from connecting to VPN when the device roams over cellular networks. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Connectivity/HardenedUNCPaths** - - -This policy setting configures secure access to UNC paths. - -If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. - - - -ADMX Info: -- GP english name: *Hardened UNC Paths* -- GP name: *Pol_HardenedPaths* -- GP path: *Network/Network Provider* -- GP ADMX file name: *networkprovider.admx* - - - - -**CredentialProviders/AllowPINLogon** - - -This policy setting allows you to control whether a domain user can sign in using a convenience PIN. - -If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. - -If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN. - -Note: The user's domain password will be cached in the system vault when using this feature. - -To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. - - - -ADMX Info: -- GP english name: *Turn on convenience PIN sign-in* -- GP name: *AllowDomainPINLogon* -- GP path: *System/Logon* -- GP ADMX file name: *credentialproviders.admx* - - - - -**CredentialProviders/BlockPicturePassword** - - -This policy setting allows you to control whether a domain user can sign in using a picture password. - -If you enable this policy setting, a domain user can't set up or sign in with a picture password. - -If you disable or don't configure this policy setting, a domain user can set up and use a picture password. - -Note that the user's domain password will be cached in the system vault when using this feature. - - - -ADMX Info: -- GP english name: *Turn off picture password sign-in* -- GP name: *BlockDomainPicturePassword* -- GP path: *System/Logon* -- GP ADMX file name: *credentialproviders.admx* - - - - -**CredentialProviders/EnableWindowsAutoPilotResetCredentials** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- - - -Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device. - -The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students. - -Default value is 0. - - - - -**CredentialsUI/DisablePasswordReveal** - - -This policy setting allows you to configure the display of the password reveal button in password entry user experiences. - -If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. - -If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. - -By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button. - -The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. - - - -ADMX Info: -- GP english name: *Do not display the password reveal button* -- GP name: *DisablePasswordReveal* -- GP path: *Windows Components/Credential User Interface* -- GP ADMX file name: *credui.admx* - - - - -**CredentialsUI/EnumerateAdministrators** - - -This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. - -If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. - -If you disable this policy setting, users will always be required to type a user name and password to elevate. - - - -ADMX Info: -- GP english name: *Enumerate administrator accounts on elevation* -- GP name: *EnumerateAdministrators* -- GP path: *Windows Components/Credential User Interface* -- GP ADMX file name: *credui.admx* - - - - -**Cryptography/AllowFipsAlgorithmPolicy** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allows or disallows the Federal Information Processing Standard (FIPS) policy. - -

The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1– Allowed. - - - - -**Cryptography/TLSCipherSuites** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. - - - - -**DataProtection/AllowDirectMemoryAccess** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**DataProtection/LegacySelectiveWipeID** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!IMPORTANT] -> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. - -  -

Setting used by Windows 8.1 Selective Wipe. - -> [!NOTE] -> This policy is not recommended for use in Windows 10. - - - - -**DataUsage/SetCost3G** - - -This policy setting configures the cost of 3G connections on the local machine. - -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine: - -- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. - -- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. - -- Variable: This connection is costed on a per byte basis. - -If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. - - - -ADMX Info: -- GP english name: *Set 3G Cost* -- GP name: *SetCost3G* -- GP path: *Network/WWAN Service/WWAN Media Cost* -- GP ADMX file name: *wwansvc.admx* - - - - -**DataUsage/SetCost4G** - - -This policy setting configures the cost of 4G connections on the local machine. - -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine: - -- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. - -- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. - -- Variable: This connection is costed on a per byte basis. - -If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. - - - -ADMX Info: -- GP english name: *Set 4G Cost* -- GP name: *SetCost4G* -- GP path: *Network/WWAN Service/WWAN Media Cost* -- GP ADMX file name: *wwansvc.admx* - - - - -**Defender/AllowArchiveScanning** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Allows or disallows scanning of archives. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Defender/AllowBehaviorMonitoring** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -  -

Allows or disallows Windows Defender Behavior Monitoring functionality. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Defender/AllowCloudProtection** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Defender/AllowEmailScanning** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Allows or disallows scanning of email. - -

The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - - - - -**Defender/AllowFullScanOnMappedNetworkDrives** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Allows or disallows a full scan of mapped network drives. - -

The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - - - - -**Defender/AllowFullScanRemovableDriveScanning** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Allows or disallows a full scan of removable drives. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Defender/AllowIOAVProtection** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -  -

Allows or disallows Windows Defender IOAVP Protection functionality. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Defender/AllowIntrusionPreventionSystem** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Allows or disallows Windows Defender Intrusion Prevention functionality. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Defender/AllowOnAccessProtection** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Allows or disallows Windows Defender On Access Protection functionality. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Defender/AllowRealtimeMonitoring** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Allows or disallows Windows Defender Realtime Monitoring functionality. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Defender/AllowScanningNetworkFiles** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -  -

Allows or disallows a scanning of network files. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Defender/AllowScriptScanning** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Allows or disallows Windows Defender Script Scanning functionality. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Defender/AllowUserUIAccess** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - -**Defender/AttackSurfaceReductionRules** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. - -Value type is string. - - - - - -**Defender/AttackSurfaceReductionOnlyExclusions** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe".. - -Value type is string. - - - - - -**Defender/AvgCPULoadFactor** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -  -

Represents the average CPU load factor for the Windows Defender scan (in percent). - -

Valid values: 0–100 - -

The default value is 50. - - - - - -**Defender/CloudBlockLevel** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Added in Windows 10, version 1709. This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. - -

If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. - -p

For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. -      -> [!Note] -> This feature requires the "Join Microsoft MAPS" setting enabled in order to function. - -

Possible options are: - -- (0x0) Default windows defender blocking level -- (0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)       -- (0x4) High+ blocking level – aggressively block unknowns and apply additional protection measures (may impact  client performance) -- (0x6) Zero tolerance blocking level – block all unknown executables - - - - - -**Defender/CloudExtendedTimeout** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -

Added in Windows 10, version 1709. This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. - -

The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. - -

For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. - -> [!Note] -> This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required". - - - - -**Defender/DaysToRetainCleanedMalware** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -  -

Time period (in days) that quarantine items will be stored on the system. - -

Valid values: 0–90 - -

The default value is 0, which keeps items in quarantine, and does not automatically remove them. - - - - - -**Defender/EnableGuardMyFolders** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -

Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. - -- 0 (default) - Off -- 1 - Audit mode -- 2 - Enforcement mode - - - - - -**Defender/EnableNetworkProtection** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -

Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. - -

If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit. -

If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center. -

If you enable this policy with the ""Audit"" option, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center. -

If you disable this policy, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Windows Defender Security Center. -

If you do not configure this policy, network blocking will be disabled by default. - -

Valid values: - -- 0 (default) - Disabled -- 1 - Enabled (block mode) -- 2 - Enabled (audit mode) - - - - - -**Defender/ExcludedExtensions** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -  -

Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj". - - - - -**Defender/ExcludedPaths** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1". - - - - -**Defender/ExcludedProcesses** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Allows an administrator to specify a list of files opened by processes to ignore during a scan. - -> [!IMPORTANT] -> The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path. - -  -

Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe". - - - - - -**Defender/GuardedFoldersAllowedApplications** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -

Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode  as the substring separator. - - - - - -**Defender/GuardedFoldersList** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -

Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the Unicode  as the substring separator. - - - - - -**Defender/PUAProtection** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. - -

The following list shows the supported values: - -- 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications. -- 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats. -- 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. - - - - -**Defender/RealTimeScanDirection** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Controls which sets of files should be monitored. - -> [!NOTE] -> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files. - - -

The following list shows the supported values: - -- 0 (default) – Monitor all files (bi-directional). -- 1 – Monitor incoming files. -- 2 – Monitor outgoing files. - - - - -**Defender/ScanParameter** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Selects whether to perform a quick scan or full scan. - -

The following list shows the supported values: - -- 1 (default) – Quick scan -- 2 – Full scan - - - - -**Defender/ScheduleQuickScanTime** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -  -

Selects the time of day that the Windows Defender quick scan should run. - -> [!NOTE] -> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. - -  -

Valid values: 0–1380 - -

For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. - -

The default value is 120 - - - - -**Defender/ScheduleScanDay** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Selects the day that the Windows Defender scan should run. - -> [!NOTE] -> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. - - -

The following list shows the supported values: - -- 0 (default) – Every day -- 1 – Monday -- 2 – Tuesday -- 3 – Wednesday -- 4 – Thursday -- 5 – Friday -- 6 – Saturday -- 7 – Sunday -- 8 – No scheduled scan - - - - -**Defender/ScheduleScanTime** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -

Selects the time of day that the Windows Defender scan should run. - -> [!NOTE] -> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. - - -

Valid values: 0–1380. - -

For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. - -

The default value is 120. - - - - -**Defender/SignatureUpdateInterval** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -  -

Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. - -

Valid values: 0–24. - -

A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day. - -

The default value is 8. - - - - -**Defender/SubmitSamplesConsent** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -  -

Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data. - -

The following list shows the supported values: - -- 0 – Always prompt. -- 1 (default) – Send safe samples automatically. -- 2 – Never send. -- 3 – Send all samples automatically. - - - - -**Defender/ThreatSeverityDefaultAction** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. -  - -

Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. - -

This value is a list of threat severity level IDs and corresponding actions, separated by a**|** using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3 - -

The following list shows the supported values for threat severity levels: - -- 1 – Low severity threats -- 2 – Moderate severity threats -- 4 – High severity threats -- 5 – Severe threats - -

The following list shows the supported values for possible actions: - -- 1 – Clean -- 2 – Quarantine -- 3 – Remove -- 6 – Allow -- 8 – User defined -- 10 – Block - - - - -**DeliveryOptimization/DOAbsoluteMaxCacheSize** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. - - -

Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space. - -

The default value is 10. - - - - -**DeliveryOptimization/DOAllowVPNPeerCaching** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. - - -

Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. - -

The default value is 0 (FALSE). - - - - -**DeliveryOptimization/DODownloadMode** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. - - -

Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. - -

The following list shows the supported values: - -- 0 –HTTP only, no peering. -- 1 (default) – HTTP blended with peering behind the same NAT. -- 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. -- 3 – HTTP blended with Internet peering. -- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. -- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. - - - - -**DeliveryOptimization/DOGroupId** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. - - -

This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity. - -> [!NOTE] -> You must use a GUID as the group ID. - - - - -**DeliveryOptimization/DOMaxCacheAge** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. - - -

Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607. - -

The default value is 259200 seconds (3 days). - - - - -**DeliveryOptimization/DOMaxCacheSize** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. - -  -

Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). - -

The default value is 20. - - - - -**DeliveryOptimization/DOMaxDownloadBandwidth** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -  - -

Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. - -

The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. - - - - -**DeliveryOptimization/DOMaxUploadBandwidth** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. - -  -

Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization. - -

The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth). - - - - -**DeliveryOptimization/DOMinBackgroundQos** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. - - -

Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. - -

The default value is 500. - - - - -**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. - -

Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery. - -

The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used. - - - - -**DeliveryOptimization/DOMinDiskSizeAllowedToPeer** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. - - -

Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB. - -> [!NOTE] -> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. - -

The default value is 32 GB. - - - - -**DeliveryOptimization/DOMinFileSizeToCache** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. - - -

Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB. - -

The default value is 100 MB. - - - - -**DeliveryOptimization/DOMinRAMAllowedToPeer** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. - - -

Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. - -

The default value is 4 GB. - - - - -**DeliveryOptimization/DOModifyCacheDrive** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. - - -

Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. - -

By default, %SystemDrive% is used to store the cache. - - - - -**DeliveryOptimization/DOMonthlyUploadDataCap** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. - - -

Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. - -

The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set. - -

The default value is 20. - - - - -**DeliveryOptimization/DOPercentageMaxDownloadBandwidth** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. - -  -

Added in Windows 10, version 1607. Specifies the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - -

The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. - - - - -**Desktop/PreventUserRedirectionOfProfileFolders** - - -Prevents users from changing the path to their profile folders. - -By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box. - -If you enable this setting, users are unable to type a new location in the Target box. - - - -ADMX Info: -- GP english name: *Prohibit User from manually redirecting Profile Folders* -- GP name: *DisablePersonalDirChange* -- GP path: *Desktop* -- GP ADMX file name: *desktop.admx* - - - - - -**DeviceGuard/EnableVirtualizationBasedSecurity** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcheck mark3check mark3cross markcross mark
- - - -  -

Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. Supported values: -

- - - - - -**DeviceGuard/RequirePlatformSecurityFeatures** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcheck mark3check mark3cross markcross mark
- - -Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. Supported values: - -  -

- - - - - -**DeviceGuard/LsaCfgFlags** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcheck mark3check mark3cross markcross mark
- - - -  -

Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. Supported values: -

- - - - - -**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** - - -This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. - -If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. - -If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. - - - -ADMX Info: -- GP english name: *Prevent installation of devices that match any of these device IDs* -- GP name: *DeviceInstall_IDs_Deny* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* - - - - -**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** - - -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. - -If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. - -If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. - - - -ADMX Info: -- GP english name: *Prevent installation of devices using drivers that match these device setup classes* -- GP name: *DeviceInstall_Classes_Deny* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* - - - - -**DeviceLock/AllowIdleReturnWithoutPassword** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - -  -

Specifies whether the user must input a PIN or password when the device resumes from an idle state. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - -  -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - -  -

Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -

The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - -> [!IMPORTANT] -> If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period. - - - - -**DeviceLock/AllowSimpleDevicePassword** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -**DeviceLock/AlphanumericDevicePasswordRequired** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -

Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required). - -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education). - - -

The following list shows the supported values: - -- 0 – Alphanumeric PIN or password required. -- 1 – Numeric PIN or password required. -- 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password. - -> [!NOTE] -> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1. -> -> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2. - -  - - - - -**DeviceLock/DevicePasswordEnabled** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether device lock is enabled. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. -  - -

The following list shows the supported values: - -- 0 (default) – Enabled -- 1 – Disabled - -> [!IMPORTANT] -> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect: -> -> - AllowSimpleDevicePassword -> - MinDevicePasswordLength -> - AlphanumericDevicePasswordRequired -> - MaxDevicePasswordFailedAttempts -> - MaxInactivityTimeDeviceLock -> - MinDevicePasswordComplexCharacters -  - -> [!IMPORTANT] -> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set: -> -> - MinDevicePasswordLength is set to 4 -> - MinDevicePasswordComplexCharacters is set to 1 -> -> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0: -> -> - MinDevicePasswordLength -> - MinDevicePasswordComplexCharacters - -> [!Important] -> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below: -> - **DevicePasswordEnabled** is the parent policy of the following: -> - AllowSimpleDevicePassword -> - MinDevicePasswordLength -> - AlphanumericDevicePasswordRequired -> - MinDevicePasswordComplexCharacters  -> - DevicePasswordExpiration -> - DevicePasswordHistory -> - MaxDevicePasswordFailedAttempts -> - MaxInactivityTimeDeviceLock - - - - -**DeviceLock/DevicePasswordExpiration** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies when the password expires (in days). - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -

The following list shows the supported values: - -- An integer X where 0 <= X <= 730. -- 0 (default) - Passwords do not expire. - -

If all policy values = 0 then 0; otherwise, Min policy value is the most secure value. - -

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -**DeviceLock/DevicePasswordHistory** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies how many passwords can be stored in the history that can’t be used. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -

The following list shows the supported values: - -- An integer X where 0 <= X <= 50. -- 0 (default) - -

The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords. - -

Max policy value is the most restricted. - -

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -**DeviceLock/EnforceLockScreenAndLogonImage** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcheck mark1check mark1cross markcross mark
- - - -

Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. - -> [!NOTE] -> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro. - - -

Value type is a string, which is the full image filepath and filename. - - - - -**DeviceLock/EnforceLockScreenProvider** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck mark1check mark1
- - - -

Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider. - -> [!NOTE] -> This policy is only enforced in Windows 10 for mobile devices. - - -

Value type is a string, which is the AppID. - - - - -**DeviceLock/MaxDevicePasswordFailedAttempts** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -

This policy has different behaviors on the mobile device and desktop. - -- On a mobile device, when the user reaches the value set by this policy, then the device is wiped. -- On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. - - Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. - -

The following list shows the supported values: - -- An integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices. -- 0 (default) - The device is never wiped after an incorrect PIN or password is entered. - -

Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. - -

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -**DeviceLock/MaxInactivityTimeDeviceLock** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -

The following list shows the supported values: - -- An integer X where 0 <= X <= 999. -- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." - -

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcross markcheck mark2check mark2
- - - -

Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -

The following list shows the supported values: - -- An integer X where 0 <= X <= 999. -- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." - - - - -**DeviceLock/MinDevicePasswordComplexCharacters** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -

The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. - -

PIN enforces the following behavior for desktop and mobile devices: - -- 1 - Digits only -- 2 - Digits and lowercase letters are required -- 3 - Digits, lowercase letters, and uppercase letters are required -- 4 - Digits, lowercase letters, uppercase letters, and special characters are required - -

The default value is 1. The following list shows the supported values and actual enforced values: - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account TypeSupported ValuesActual Enforced Values

Mobile

1,2,3,4

Same as the value set

Desktop Local Accounts

1,2,3

3

Desktop Microsoft Accounts

1,2

Desktop Domain Accounts

Not supported

Not supported

- - -

Enforced values for Local and Microsoft Accounts: - -- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3. -- Passwords for local accounts must meet the following minimum requirements: - - - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters - - Be at least six characters in length - - Contain characters from three of the following four categories: - - - English uppercase characters (A through Z) - - English lowercase characters (a through z) - - Base 10 digits (0 through 9) - - Special characters (!, $, \#, %, etc.) - -

The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant. - -

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - - -**DeviceLock/MinDevicePasswordLength** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies the minimum number or characters required in the PIN or password. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. - - -

The following list shows the supported values: - -- An integer X where 4 <= X <= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6. -- Not enforced. -- The default value is 4 for mobile devices and desktop devices. - -

Max policy value is the most restricted. - -

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - - -**DeviceLock/PreventLockScreenSlideShow** - - -Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. - -By default, users can enable a slide show that will run after they lock the machine. - -If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start. - - - -ADMX Info: -- GP english name: *Prevent enabling lock screen slide show* -- GP name: *CPL_Personalization_NoLockScreenSlideshow* -- GP path: *Control Panel/Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - - -**DeviceLock/ScreenTimeoutWhileLocked** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. -  -

Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices. - -

Minimum supported value is 10. - -

Maximum supported value is 1800. - -

The default value is 10. - -

Most restricted value is 0. - - - - -**Display/TurnOffGdiDPIScalingForApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -

GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. - -

This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off. - -

If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. - -

If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications. - -

If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. - -

To validate on Desktop, do the following: - -1. Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms. -2. Run the app and observe blurry text. - - - - -**Display/TurnOnGdiDPIScalingForApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -

GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. - -

This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on. - -

If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list. - -

If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. - -

If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. - -

To validate on Desktop, do the following: - -1. Configure the setting for an app which uses GDI. -2. Run the app and observe crisp text. - - - - -**EnterpriseCloudPrint/CloudPrintOAuthAuthority** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. - -

The datatype is a string. - -

The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs". - - - - -**EnterpriseCloudPrint/CloudPrintOAuthClientId** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. - -

The datatype is a string. - -

The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714". - - - - -**EnterpriseCloudPrint/CloudPrintResourceId** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. - -

The datatype is a string. - -

The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint". - - - - -**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. - -

The datatype is a string. - -

The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com". - - - - -**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcross markcheck mark2check mark2
- - - -

Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. - -

The datatype is an integer. - -

For Windows Mobile, the default value is 20. - - - - -**EnterpriseCloudPrint/MopriaDiscoveryResourceId** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. - -

The datatype is a string. - -

The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint". - - - - -**ErrorReporting/CustomizeConsentSettings** - - -This policy setting determines the consent behavior of Windows Error Reporting for specific event types. - -If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. - -- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. - -- 1 (Always ask before sending data): Windows prompts the user for consent to send reports. - -- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft. - -- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. - -- 4 (Send all data): Any data requested by Microsoft is sent automatically. - -If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. - - - -ADMX Info: -- GP english name: *Customize consent settings* -- GP name: *WerConsentCustomize_2* -- GP path: *Windows Components/Windows Error Reporting/Consent* -- GP ADMX file name: *ErrorReporting.admx* - - - - -**ErrorReporting/DisableWindowsErrorReporting** - - -This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. - -If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. - -If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. - - - -ADMX Info: -- GP english name: *Disable Windows Error Reporting* -- GP name: *WerDisable_2* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - - -**ErrorReporting/DisplayErrorNotification** - - -This policy setting controls whether users are shown an error dialog box that lets them report an error. - -If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error. - -If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users. - -If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server. - -See also the Configure Error Reporting policy setting. - - - -ADMX Info: -- GP english name: *Display Error Notification* -- GP name: *PCH_ShowUI* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - - -**ErrorReporting/DoNotSendAdditionalData** - - -This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. - -If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. - -If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. - - - -ADMX Info: -- GP english name: *Do not send additional data* -- GP name: *WerNoSecondLevelData_2* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - - -**ErrorReporting/PreventCriticalErrorDisplay** - - -This policy setting prevents the display of the user interface for critical errors. - -If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors. - -If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors. - - - -ADMX Info: -- GP english name: *Prevent display of the user interface for critical errors* -- GP name: *WerDoNotShowUI* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - - -**EventLogService/ControlEventLogBehavior** - - -This policy setting controls Event Log behavior when the log file reaches its maximum size. - -If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. - -If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. - -Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. - - - -ADMX Info: -- GP english name: *Control Event Log behavior when the log file reaches its maximum size* -- GP name: *Channel_Log_Retention_1* -- GP path: *Windows Components/Event Log Service/Application* -- GP ADMX file name: *eventlog.admx* - - - - -**EventLogService/SpecifyMaximumFileSizeApplicationLog** - - -This policy setting specifies the maximum size of the log file in kilobytes. - -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. - -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - - -ADMX Info: -- GP english name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_1* -- GP path: *Windows Components/Event Log Service/Application* -- GP ADMX file name: *eventlog.admx* - - - - -**EventLogService/SpecifyMaximumFileSizeSecurityLog** - - -This policy setting specifies the maximum size of the log file in kilobytes. - -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. - -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - - -ADMX Info: -- GP english name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_2* -- GP path: *Windows Components/Event Log Service/Security* -- GP ADMX file name: *eventlog.admx* - - - - -**EventLogService/SpecifyMaximumFileSizeSystemLog** - - -This policy setting specifies the maximum size of the log file in kilobytes. - -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. - -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - - -ADMX Info: -- GP english name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_4* -- GP path: *Windows Components/Event Log Service/System* -- GP ADMX file name: *eventlog.admx* - - - - -**Experience/AllowCopyPaste** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - -

Specifies whether copy and paste is allowed. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Experience/AllowCortana** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - -

Benefit to the customer: - -

Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive. - -

Sample scenario: - -

An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more. - - - - -**Experience/AllowDeviceDiscovery** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allows users to turn on/off device discovery UX. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on. - -

Most restricted value is 0. - - - - -**Experience/AllowManualMDMUnenrollment** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether to allow the user to delete the workplace account using the workplace control panel. - -> [!NOTE] -> The MDM server can always remotely delete the account. - - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Experience/AllowSIMErrorDialogPromptWhenNoSIM** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - - -

Specifies whether to display dialog prompt when no SIM card is detected. - -

The following list shows the supported values: - -- 0 – SIM card dialog prompt is not displayed. -- 1 (default) – SIM card dialog prompt is displayed. - - - - -**Experience/AllowScreenCapture** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - - -

Specifies whether screen capture is allowed. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Experience/AllowSyncMySettings** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). - -

The following list shows the supported values: - -- 0 – Sync settings is not allowed. -- 1 (default) – Sync settings allowed. - - - - -**Experience/AllowTailoredExperiencesWithDiagnosticData** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -

Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. - -

Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value. - -> **Note** This setting does not control Cortana cutomized experiences because there are separate policies to configure it. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Experience/AllowTaskSwitcher** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - - -

Allows or disallows task switching on the device. - -

The following list shows the supported values: - -- 0 – Task switching not allowed. -- 1 (default) – Task switching allowed. - - - - -**Experience/AllowThirdPartySuggestionsInWindowsSpotlight** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - - -

Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services. - -

The following list shows the supported values: - -- 0 – Third-party suggestions not allowed. -- 1 (default) – Third-party suggestions allowed. - - - - -**Experience/AllowVoiceRecording** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - - -

Specifies whether voice recording is allowed for apps. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Experience/AllowWindowsConsumerFeatures** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles. - -> [!IMPORTANT] -> This node must be accessed using the following paths: -> -> - **./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures** to set the policy. -> - **./User/Vendor/MSFT/Policy/Result/Experience/AllowWindowsConsumerFeatures** to get the result. - -  -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 – Allowed. - -

Most restricted value is 0. - - - - -**Experience/AllowWindowsSpotlight** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcheck mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is only available for Windows 10 Enterprise and Windows 10 Education. - - -

Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Experience/AllowWindowsSpotlightOnActionCenter** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcheck mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -

Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Experience/AllowWindowsSpotlightWindowsWelcomeExperience** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcheck mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -

Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. -The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Experience/AllowWindowsTips** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -Enables or disables Windows Tips / soft landing. - -

The following list shows the supported values: - -- 0 – Disabled. -- 1 (default) – Enabled. - - - - -**Experience/ConfigureWindowsSpotlightOnLockScreen** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcheck mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is only available for Windows 10 Enterprise and Windows 10 Education. - - -

Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1. - -

The following list shows the supported values: - -- 0 – None. -- 1 (default) – Windows spotlight enabled. -- 2 – placeholder only for future extension. Using this value has no effect. - - - - -**Experience/DoNotShowFeedbackNotifications** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Prevents devices from showing feedback questions from Microsoft. - -

If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback. - -

If you disable or do not configure this policy setting, users can control how often they receive feedback questions. - -

The following list shows the supported values: - -- 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. -- 1 – Feedback notifications are disabled. - - - - -**Games/AllowAdvancedGamingServices** - - -

Placeholder only. Currently not supported. - - - - -**InternetExplorer/AddSearchProvider** - - -This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website. - -If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. - -If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. - - - -ADMX Info: -- GP english name: *Add a specific list of search providers to the user's list of search providers* -- GP name: *AddSearchProvider* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowActiveXFiltering** - - -This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly. - -If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions. - -If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. - - - -ADMX Info: -- GP english name: *Turn on ActiveX Filtering* -- GP name: *TurnOnActiveXFiltering* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowAddOnList** - - -This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages. - -This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied. - -If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information: - -Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. - -Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. - -If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. - - - -ADMX Info: -- GP english name: *Add-on List* -- GP name: *AddonManagement_AddOnList* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowEnhancedProtectedMode** - - -Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. - -If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode. - -If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista. - -If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. - - - -ADMX Info: -- GP english name: *Turn on Enhanced Protected Mode* -- GP name: *Advanced_EnableEnhancedProtectedMode* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowEnterpriseModeFromToolsMenu** - - -This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu. - -If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports. - -If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. - - - -ADMX Info: -- GP english name: *Let users turn on and use Enterprise Mode from the Tools menu* -- GP name: *EnterpriseModeEnable* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowEnterpriseModeSiteList** - - -This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list. - -If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE. - -If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. - - - -ADMX Info: -- GP english name: *Use the Enterprise Mode IE website list* -- GP name: *EnterpriseModeSiteList* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowInternetExplorer7PolicyList ** - - -This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View. - -If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify. - -If you disable or do not configure this policy setting, the user can add and remove sites from the list. - - - -ADMX Info: -- GP english name: *Use Policy List of Internet Explorer 7 sites* -- GP name: *CompatView_UsePolicyList* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowInternetExplorerStandardsMode** - - -This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. - -If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box. - -If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box. - -If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. - - - -ADMX Info: -- GP english name: *Turn on Internet Explorer Standards Mode for local intranet* -- GP name: *CompatView_IntranetSites* -- GP path: *Windows Components/Internet Explorer/Compatibility View* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowInternetZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - -ADMX Info: -- GP english name: *Internet Zone Template* -- GP name: *IZ_PolicyInternetZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowIntranetZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - -ADMX Info: -- GP english name: *Intranet Zone Template* -- GP name: *IZ_PolicyIntranetZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowLocalMachineZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - -ADMX Info: -- GP english name: *Local Machine Zone Template* -- GP name: *IZ_PolicyLocalMachineZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowLockedDownInternetZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - -ADMX Info: -- GP english name: *Locked-Down Internet Zone Template* -- GP name: *IZ_PolicyInternetZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowLockedDownIntranetZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - -ADMX Info: -- GP english name: *Locked-Down Intranet Zone Template* -- GP name: *IZ_PolicyIntranetZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - -ADMX Info: -- GP english name: *Locked-Down Local Machine Zone Template* -- GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - -ADMX Info: -- GP english name: *Locked-Down Restricted Sites Zone Template* -- GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowOneWordEntry** - - -This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar. - -If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available. - -If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. - - - -ADMX Info: -- GP english name: *Go to an intranet site for a one-word entry in the Address bar* -- GP name: *UseIntranetSiteForOneWordEntry* -- GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowSiteToZoneAssignmentList** - - -This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone. - -Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.) - -If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information: - -Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. - -Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. - -If you disable or do not configure this policy, users may choose their own site-to-zone assignments. - - - -ADMX Info: -- GP english name: *Site to Zone Assignment List* -- GP name: *IZ_Zonemaps* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowSuggestedSites** - - -This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit. - -If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions. - -If you disable this policy setting, the entry points and functionality associated with this feature are turned off. - -If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. - - - -ADMX Info: -- GP english name: *Turn on Suggested Sites* -- GP name: *EnableSuggestedSites* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowTrustedSitesZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - -ADMX Info: -- GP english name: *Trusted Sites Zone Template* -- GP name: *IZ_PolicyTrustedSitesZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - -ADMX Info: -- GP english name: *Locked-Down Trusted Sites Zone Template* -- GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowsRestrictedSitesZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - -ADMX Info: -- GP english name: *Restricted Sites Zone Template* -- GP name: *IZ_PolicyRestrictedSitesZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableAdobeFlash** - - -This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. - -If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings. - -If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box. - -Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. - - - -ADMX Info: -- GP english name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects* -- GP name: *DisableFlashInIE* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableBypassOfSmartScreenWarnings** - - -This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. - -If you enable this policy setting, SmartScreen Filter warnings block the user. - -If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. - - - -ADMX Info: -- GP english name: *Prevent bypassing SmartScreen Filter warnings* -- GP name: *DisableSafetyFilterOverride* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles** - - -This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. - -If you enable this policy setting, SmartScreen Filter warnings block the user. - -If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. - - - -ADMX Info: -- GP english name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet* -- GP name: *DisableSafetyFilterOverrideForAppRepUnknown* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation** - - -This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP). - -If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. - -If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. - -If you do not configure this policy setting, the user can choose to participate in the CEIP. - - - -ADMX Info: -- GP english name: *Prevent participation in the Customer Experience Improvement Program* -- GP name: *SQM_DisableCEIP* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableEnclosureDownloading** - - -This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. - -If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. - -If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. - - - -ADMX Info: -- GP english name: *Prevent downloading of enclosures* -- GP name: *Disable_Downloading_of_Enclosures* -- GP path: *Windows Components/RSS Feeds* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableEncryptionSupport** - - -This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match. - -If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list. - -If you disable or do not configure this policy setting, the user can select which encryption method the browser supports. - -Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. - - - -ADMX Info: -- GP english name: *Turn off encryption support* -- GP name: *Advanced_SetWinInetProtocols* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableFirstRunWizard** - - -This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. - -If you enable this policy setting, you must make one of the following choices: -Skip the First Run wizard, and go directly to the user's home page. -Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. - -Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen. - -If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. - - - -ADMX Info: -- GP english name: *Prevent running First Run wizard* -- GP name: *NoFirstRunCustomise* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableFlipAheadFeature** - - -This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. - -Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop. - -If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background. - -If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background. - -If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. - - - -ADMX Info: -- GP english name: *Turn off the flip ahead with page prediction feature* -- GP name: *Advanced_DisableFlipAhead* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableHomePageChange** - - -The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run. - -If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies. - -If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. - - - -ADMX Info: -- GP english name: *Disable changing home page settings* -- GP name: *RestrictHomePage* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableProxyChange** - - -This policy setting specifies if a user can change proxy settings. - -If you enable this policy setting, the user will not be able to configure proxy settings. - -If you disable or do not configure this policy setting, the user can configure proxy settings. - - - -ADMX Info: -- GP english name: *Prevent changing proxy settings* -- GP name: *RestrictProxy* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableSearchProviderChange** - - -This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box. - -If you enable this policy setting, the user cannot change the default search provider. - -If you disable or do not configure this policy setting, the user can change the default search provider. - - - -ADMX Info: -- GP english name: *Prevent changing the default search provider* -- GP name: *NoSearchProvider* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableSecondaryHomePageChange** - - -Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages. - -If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages. - -If you disable or do not configure this policy setting, the user can add secondary home pages. - -Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages. - - - -ADMX Info: -- GP english name: *Disable changing secondary home page settings* -- GP name: *SecondaryHomePages* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableUpdateCheck** - - -Prevents Internet Explorer from checking whether a new version of the browser is available. - -If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available. - -If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available. - -This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. - - - -ADMX Info: -- GP english name: *Disable Periodic Check for Internet Explorer software updates* -- GP name: *NoUpdateCheck* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DoNotAllowUsersToAddSites** - - -Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. - -If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.) - -If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone. - -This policy prevents users from changing site management settings for security zones established by the administrator. - -Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. - -Also, see the "Security zones: Use only machine settings" policy. - - - -ADMX Info: -- GP english name: *Security Zones: Do not allow users to add/delete sites* -- GP name: *Security_zones_map_edit* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DoNotAllowUsersToChangePolicies** - - -Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. - -If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. - -If you disable this policy or do not configure it, users can change the settings for security zones. - -This policy prevents users from changing security zone settings established by the administrator. - -Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. - -Also, see the "Security zones: Use only machine settings" policy. - - - -ADMX Info: -- GP english name: *Security Zones: Do not allow users to change policies* -- GP name: *Security_options_edit* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DoNotBlockOutdatedActiveXControls** - - -This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. - -If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls. - -If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls. - -For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. - - - -ADMX Info: -- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer* -- GP name: *VerMgmtDisable* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains** - - -This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. - -If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: - -1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" -2. "hostname". For example, if you want to include http://example, use "example" -3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm" - -If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. - -For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. - - - -ADMX Info: -- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains* -- GP name: *VerMgmtDomainAllowlist* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IncludeAllLocalSites** - - -This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. - -If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone. - -If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone). - -If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. - - - -ADMX Info: -- GP english name: *Intranet Sites: Include all local (intranet) sites not listed in other zones* -- GP name: *IZ_IncludeUnspecifiedLocalSites* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IncludeAllNetworkPaths** - - -This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. - -If you enable this policy setting, all network paths are mapped into the Intranet Zone. - -If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there). - -If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. - - - -ADMX Info: -- GP english name: *Intranet Sites: Include all network paths (UNCs)* -- GP name: *IZ_UNCAsIntranet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. - -If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. - -If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/SearchProviderList** - - -This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website. - -If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. - -If you disable or do not configure this policy setting, the user can configure his or her list of search providers. - - - -ADMX Info: -- GP english name: *Restrict search providers to a specific list* -- GP name: *SpecificSearchProvider* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**Kerberos/AllowForestSearchOrder** - - -This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). - -If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. - -If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. - - - -ADMX Info: -- GP english name: *None* -- GP name: *ForestSearch* -- GP ADMX file name: *Kerberos.admx* - - - - -**Kerberos/KerberosClientSupportsClaimsCompoundArmor** - - -This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. -If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. - -If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. - - - -ADMX Info: -- GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring* -- GP name: *EnableCbacAndArmor* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -**Kerberos/RequireKerberosArmoring** - - -This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. - -Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. - -If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. - -Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. - -If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. - - - -ADMX Info: -- GP english name: *Fail authentication requests when Kerberos armoring is not available* -- GP name: *ClientRequireFast* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -**Kerberos/RequireStrictKDCValidation** - - -This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. - -If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. - -If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. - - - -ADMX Info: -- GP english name: *Require strict KDC validation* -- GP name: *ValidateKDC* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -**Kerberos/SetMaximumContextTokenSize** - - -This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. - -The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. - -If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. - -If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. - -Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. - - - -ADMX Info: -- GP english name: *Set maximum Kerberos SSPI context token buffer size* -- GP name: *MaxTokenSize* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -**Licensing/AllowWindowsEntitlementReactivation** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -

Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices. - -

The following list shows the supported values: - -- 0 – Disable Windows license reactivation on managed devices. -- 1 (default) – Enable Windows license reactivation on managed devices. - - - - -**Licensing/DisallowKMSClientOnlineAVSValidation** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -

Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. - -

The following list shows the supported values: - -- 0 (default) – Disabled. -- 1 – Enabled. - - - - -**Location/EnableLocation** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark2check mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page. - -> [!IMPORTANT] -> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy. - -

The following list shows the supported values: - -- 0 (default) – Disabled. -- 1 – Enabled. - -

To validate on Desktop, do the following: - -1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected. -2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained. - - - - -**LockDown/AllowEdgeSwipe** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -

Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch. - -

The following list shows the supported values: - -- 0 - disallow edge swipe. -- 1 (default, not configured) - allow edge swipe. - -

The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled. - - - - -**Maps/AllowOfflineMapsDownloadOverMeteredConnection** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Allows the download and update of map data over metered connections. - -

The following list shows the supported values: - -- 65535 (default) – Not configured. User's choice. -- 0 – Disabled. Force disable auto-update over metered connection. -- 1 – Enabled. Force enable auto-update over metered connection. - -

After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. - - - - -**Maps/EnableOfflineMapsAutoUpdate** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Disables the automatic download and update of map data. - -

The following list shows the supported values: - -- 65535 (default) – Not configured. User's choice. -- 0 – Disabled. Force off auto-update. -- 1 – Enabled. Force on auto-update. - -

After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. - - - - -**Messaging/AllowMMS** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcross markcheck mark2check mark2
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - -

Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement. - -

The following list shows the supported values: - -- 0 - Disabled. -- 1 (default) - Enabled. - - - - -**Messaging/AllowMessageSync** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck mark1check mark1
- - - -

Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. - -

The following list shows the supported values: - -- 0 - message sync is not allowed and cannot be changed by the user. -- 1 - message sync is allowed. The user can change this setting. - - - - -**Messaging/AllowRCS** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcross markcheck mark2check mark2
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - -

Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement. - -

The following list shows the supported values: - -- 0 - Disabled. -- 1 (default) - Enabled. - - - - -**NetworkIsolation/EnterpriseCloudResources** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**. - - - - -**NetworkIsolation/EnterpriseIPRange** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example: - -``` syntax -10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255, -192.168.0.0-192.168.255.255,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff, -2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff, -2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, -fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - -``` - - - - -**NetworkIsolation/EnterpriseIPRangesAreAuthoritative** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. - - - - -**NetworkIsolation/EnterpriseInternalProxyServers** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies. - - - - -**NetworkIsolation/EnterpriseNetworkDomainNames** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". - -> [!NOTE] -> The client requires domain name to be canonical, otherwise the setting will be rejected by the client. -  - -

Here are the steps to create canonical domain names: - -1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com. -2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. -3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). - - - - -**NetworkIsolation/EnterpriseProxyServers** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". - - - - -**NetworkIsolation/EnterpriseProxyServersAreAuthoritative** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies. - - - - -**NetworkIsolation/NeutralResources** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

List of domain names that can used for work or personal resource. - - - - -**Notifications/DisallowNotificationMirroring** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Boolean value that turns off notification mirroring. - -> [!IMPORTANT] -> This node must be accessed using the following paths: -> -> - **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy. -> - **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result. - - -

For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page. - -

No reboot or service restart is required for this policy to take effect. - -

The following list shows the supported values: - -- 0 (default)– enable notification mirroring. -- 1 – disable notification mirroring. - - - - -**Power/AllowStandbyWhenSleepingPluggedIn** - - -This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. - -If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. - -If you disable this policy setting, standby states (S1-S3) are not allowed. - - - -ADMX Info: -- GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)* -- GP name: *AllowStandbyStatesAC_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - - - -**Power/DisplayOffTimeoutOnBattery** - - -

Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display. - -

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. - -

If you disable or do not configure this policy setting, users control this setting. - -

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. - - - -ADMX Info: -- GP english name: *Turn off the display (on battery)* -- GP name: *VideoPowerDownTimeOutDC_2* -- GP path: *System/Power Management/Video and Display Settings* -- GP ADMX file name: *power.admx* - - - - - -**Power/DisplayOffTimeoutPluggedIn** - - - -

Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display. - -

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. - -

If you disable or do not configure this policy setting, users control this setting. - -

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. - - - -ADMX Info: -- GP english name: *Turn off the display (plugged in)* -- GP name: *VideoPowerDownTimeOutAC_2* -- GP path: *System/Power Management/Video and Display Settings* -- GP ADMX file name: *power.admx* - - - - - -**Power/HibernateTimeoutOnBattery** - - -

Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. - -

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. - -

If you disable or do not configure this policy setting, users control this setting. - - -

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. - - -ADMX Info: -- GP english name: *Specify the system hibernate timeout (on battery)* -- GP name: *DCHibernateTimeOut_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - - - -**Power/HibernateTimeoutPluggedIn** - - -

Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. - -

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. - -

If you disable or do not configure this policy setting, users control this setting. - -

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. - - - -ADMX Info: -- GP english name: *Specify the system hibernate timeout (plugged in)* -- GP name: *ACHibernateTimeOut_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - - - -**Power/RequirePasswordWhenComputerWakesOnBattery** - - -This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. - -If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. - -If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. - - - -ADMX Info: -- GP english name: *Require a password when a computer wakes (on battery)* -- GP name: *DCPromptForPasswordOnResume_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - - -**Power/RequirePasswordWhenComputerWakesPluggedIn** - - -This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. - -If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. - -If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. - - - -ADMX Info: -- GP english name: *Require a password when a computer wakes (plugged in)* -- GP name: *ACPromptForPasswordOnResume_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - - - -**Power/StandbyTimeoutOnBattery** - - -

Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. - -

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. - -

If you disable or do not configure this policy setting, users control this setting. - -

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. - - - -ADMX Info: -- GP english name: *Specify the system sleep timeout (on battery)* -- GP name: *DCStandbyTimeOut_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - - - -**Power/StandbyTimeoutPluggedIn** - - -

Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. - -

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. - -

If you disable or do not configure this policy setting, users control this setting. - -

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. - - - -ADMX Info: -- GP english name: *Specify the system sleep timeout (plugged in)* -- GP name: *ACStandbyTimeOut_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - - - -**Printers/PointAndPrintRestrictions** - - -This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. - -If you enable this policy setting: --Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. --You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. - -If you do not configure this policy setting: --Windows Vista client computers can point and print to any server. --Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. --Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. --Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. - -If you disable this policy setting: --Windows Vista client computers can create a printer connection to any server using Point and Print. --Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. --Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. --Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. --The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). - - - -ADMX Info: -- GP english name: *Point and Print Restrictions* -- GP name: *PointAndPrint_Restrictions_Win7* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - - -**Printers/PointAndPrintRestrictions_User** - - -This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. - -If you enable this policy setting: --Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. --You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. - -If you do not configure this policy setting: --Windows Vista client computers can point and print to any server. --Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. --Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. --Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. - -If you disable this policy setting: --Windows Vista client computers can create a printer connection to any server using Point and Print. --Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. --Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. --Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. --The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). - - - -ADMX Info: -- GP english name: *Point and Print Restrictions* -- GP name: *PointAndPrint_Restrictions* -- GP ADMX file name: *Printing.admx* - - - - -**Printers/PublishPrinters** - - -Determines whether the computer's shared printers can be published in Active Directory. - -If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory. - -If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available. - -Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory". - - - -ADMX Info: -- GP english name: *Allow printers to be published* -- GP name: *PublishPrinters* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* - - - - -**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check markcheck mark
- - - -

Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. - -

The following list shows the supported values: - -- 0 (default)– Not allowed. -- 1 – Allowed. - -

Most restricted value is 0. - - - - -**Privacy/AllowInputPersonalization** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. -  - - - - -**Privacy/DisableAdvertisingId** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Enables or disables the Advertising ID. - -

The following list shows the supported values: - -- 0 – Disabled. -- 1 – Enabled. -- 65535 (default)- Not configured. - -

Most restricted value is 0. - - - - -**Privacy/LetAppsAccessAccountInfo** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - -**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - -**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - -**Privacy/LetAppsAccessCalendar** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - -**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - -**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - -**Privacy/LetAppsAccessCallHistory** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - -**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - -**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - -**Privacy/LetAppsAccessCamera** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessContacts** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessEmail** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can access email. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessLocation** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can access location. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessMessaging** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessMicrophone** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessMotion** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessNotifications** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessPhone** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessRadios** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessTasks** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. - - - - -**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessTrustedDevices** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - -**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - -**Privacy/LetAppsGetDiagnosticInfo** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - - -**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - - -**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - - -**Privacy/LetAppsRunInBackground** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. - -

The following list shows the supported values: - -- 0 – User in control (default). -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. -> [!WARNING] -> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. - - - - -**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - - -**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - - -**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - - -**Privacy/LetAppsSyncWithDevices** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. - -

The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -

Most restricted value is 2. - - - - -**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - -**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - -**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - -**RemoteAssistance/CustomizeWarningMessages** - - -This policy setting lets you customize warning messages. - -The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer. - -The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer. - -If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice. - -If you disable this policy setting, the user sees the default warning message. - -If you do not configure this policy setting, the user sees the default warning message. - - - -ADMX Info: -- GP english name: *Customize warning messages* -- GP name: *RA_Options* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* - - - - -**RemoteAssistance/SessionLogging** - - -This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. - -If you enable this policy setting, log files are generated. - -If you disable this policy setting, log files are not generated. - -If you do not configure this setting, application-based settings are used. - - - -ADMX Info: -- GP english name: *Turn on session logging* -- GP name: *RA_Logging* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* - - - - -**RemoteAssistance/SolicitedRemoteAssistance** - - -This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. - -If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings. - -If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer. - -If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. - -If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." - -The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. - -The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported. - -If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. - - - -ADMX Info: -- GP english name: *Configure Solicited Remote Assistance* -- GP name: *RA_Solicit* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* - - - - -**RemoteAssistance/UnsolicitedRemoteAssistance** - - -This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. - -If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. - -If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. - -If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. - -If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. - -To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format: - -\ or - -\ - -If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. - -Windows Vista and later - -Enable the Remote Assistance exception for the domain profile. The exception must contain: -Port 135:TCP -%WINDIR%\System32\msra.exe -%WINDIR%\System32\raserver.exe - -Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1) - -Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -%WINDIR%\System32\Sessmgr.exe - -For computers running Windows Server 2003 with Service Pack 1 (SP1) - -Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -Allow Remote Desktop Exception - - - -ADMX Info: -- GP english name: *Configure Offer Remote Assistance* -- GP name: *RA_Unsolicit* -- GP ADMX file name: *remoteassistance.admx* - - - - -**RemoteDesktopServices/AllowUsersToConnectRemotely** - - -This policy setting allows you to configure remote access to computers by using Remote Desktop Services. - -If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. - -If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections. - -If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed. - -Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. - -You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. - - - -ADMX Info: -- GP english name: *Allow users to connect remotely by using Remote Desktop Services* -- GP name: *TS_DISABLE_CONNECTIONS* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections* -- GP ADMX file name: *terminalserver.admx* - - - - -**RemoteDesktopServices/ClientConnectionEncryptionLevel** - - -Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. - -If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: - -* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers. - -* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption. - -* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption. - -If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy. - -Important - -FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. - - - -ADMX Info: -- GP english name: *Set client connection encryption level* -- GP name: *TS_ENCRYPTION_POLICY* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* -- GP ADMX file name: *terminalserver.admx* - - - - -**RemoteDesktopServices/DoNotAllowDriveRedirection** - - -This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). - -By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior. - -If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP. - -If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. - -If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. - - - -ADMX Info: -- GP english name: *Do not allow drive redirection* -- GP name: *TS_CLIENT_DRIVE_M* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection* -- GP ADMX file name: *terminalserver.admx* - - - - -**RemoteDesktopServices/DoNotAllowPasswordSaving** - - -Controls whether passwords can be saved on this computer from Remote Desktop Connection. - -If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. - -If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection. - - - -ADMX Info: -- GP english name: *Do not allow passwords to be saved* -- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client* -- GP ADMX file name: *terminalserver.admx* - - - - -**RemoteDesktopServices/PromptForPasswordUponConnection** - - -This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. - -You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. - -By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client. - -If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on. - -If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. - -If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. - - - -ADMX Info: -- GP english name: *Always prompt for password upon connection* -- GP name: *TS_PASSWORD* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* -- GP ADMX file name: *terminalserver.admx* - - - - -**RemoteDesktopServices/RequireSecureRPCCommunication** - - -Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. - -You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. - -If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients. - -If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request. - -If the status is set to Not Configured, unsecured communication is allowed. - -Note: The RPC interface is used for administering and configuring Remote Desktop Services. - - - -ADMX Info: -- GP english name: *Require secure RPC communication* -- GP name: *TS_RPC_ENCRYPTION* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* -- GP ADMX file name: *terminalserver.admx* - - - - -**RemoteProcedureCall/RPCEndpointMapperClientAuthentication** - - -This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. - -If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. - -If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service. - -If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service. - -Note: This policy will not be applied until the system is rebooted. - - - -ADMX Info: -- GP english name: *Enable RPC Endpoint Mapper Client Authentication* -- GP name: *RpcEnableAuthEpResolution* -- GP path: *System/Remote Procedure Call* -- GP ADMX file name: *rpc.admx* - - - - -**RemoteProcedureCall/RestrictUnauthenticatedRPCClients** - - -This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. - -This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller. - -If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting. - -If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting. - -If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. - --- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. - --- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. - --- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. - -Note: This policy setting will not be applied until the system is rebooted. - - - -ADMX Info: -- GP english name: *Restrict Unauthenticated RPC clients* -- GP name: *RpcRestrictRemoteClients* -- GP path: *System/Remote Procedure Call* -- GP ADMX file name: *rpc.admx* - - - - -**Search/AllowIndexingEncryptedStoresOrItems** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files. - -

When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified. - -

When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Search/AllowSearchToUseLocation** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether search can leverage location information. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Search/AllowUsingDiacritics** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allows the use of diacritics. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Search/AlwaysUseAutoLangDetection** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether to always use automatic language detection when indexing content and properties. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Search/DisableBackoff** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled. - -

The following list shows the supported values: - -- 0 (default) – Disable. -- 1 – Enable. - - - - -**Search/DisableRemovableDriveIndexing** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

This policy setting configures whether or not locations on removable drives can be added to libraries. - -

If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed. - -

If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed. - -

The following list shows the supported values: - -- 0 (default) – Disable. -- 1 – Enable. - - - - -**Search/PreventIndexingLowDiskSpaceMB** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1. - -

Enable this policy if computers in your environment have extremely limited hard drive space. - -

When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size. - -

The following list shows the supported values: - -- 0 – Disable. -- 1 (default) – Enable. - - - - -**Search/PreventRemoteQueries** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.. - -

The following list shows the supported values: - -- 0 – Disable. -- 1 (default) – Enable. - - - - -**Search/SafeSearchPermissions** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - - -

Specifies what level of safe search (filtering adult content) is required. - -

The following list shows the supported values: - -- 0 – Strict, highest filtering against adult content. -- 1 (default) – Moderate filtering against adult content (valid search results will not be filtered). - -

Most restricted value is 0. - - - - -**Security/AllowAddProvisioningPackage** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether to allow the runtime configuration agent to install provisioning packages. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy has been deprecated in Windows 10, version 1607 - -
- -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Security/AllowManualRootCertificateInstallation** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - - -

Specifies whether the user is allowed to manually install root and intermediate CA certificates. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Security/AllowRemoveProvisioningPackage** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether to allow the runtime configuration agent to remove provisioning packages. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Security/AntiTheftMode** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - -  -

Allows or disallow Anti Theft Mode on the device. - -

The following list shows the supported values: - -- 0 – Don't allow Anti Theft Mode. -- 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent). - - - - -**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**. - -

Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined. - -

The following list shows the supported values: - -- 0 (default) – Encryption enabled. -- 1 – Encryption disabled. - - - - -**Security/RequireDeviceEncryption** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck markcheck mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**. - -

Allows enterprise to turn on internal storage encryption. - -

The following list shows the supported values: - -- 0 (default) – Encryption is not required. -- 1 – Encryption is required. - -

Most restricted value is 1. - -> [!IMPORTANT] -> If encryption has been enabled, it cannot be turned off by using this policy. - - - - -**Security/RequireProvisioningPackageSignature** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether provisioning packages must have a certificate signed by a device trusted authority. - -

The following list shows the supported values: - -- 0 (default) – Not required. -- 1 – Required. - - - - -**Security/RequireRetrieveHealthCertificateOnBoot** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. - -

The following list shows the supported values: - -- 0 (default) – Not required. -- 1 – Required. - -

Setting this policy to 1 (Required): - -- Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0. -- Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification. - -> [!NOTE] -> We recommend that this policy is set to Required after MDM enrollment. -  - -

Most restricted value is 1. - - - - -**Settings/AllowAutoPlay** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Allows the user to change Auto Play settings. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -> [!NOTE] -> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected. - - - - -**Settings/AllowDataSense** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allows the user to change Data Sense settings. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Settings/AllowDateTime** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allows the user to change date and time settings. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Settings/AllowEditDeviceName** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcheck mark1check mark1
- - - -

Allows editing of the device name. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Settings/AllowLanguage** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Allows the user to change the language settings. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Settings/AllowPowerSleep** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Allows the user to change power and sleep settings. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Settings/AllowRegion** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Allows the user to change the region settings. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Settings/AllowSignInOptions** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Allows the user to change sign-in options. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Settings/AllowVPN** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allows the user to change VPN settings. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Settings/AllowWorkplace** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Allows user to change workplace settings. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Settings/AllowYourAccount** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allows user to change account settings. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Settings/ConfigureTaskbarCalendar** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. - -

The following list shows the supported values: - -- 0 (default) – User will be allowed to configure the setting. -- 1 – Don't show additional calendars. -- 2 - Simplified Chinese (Lunar). -- 3 - Traditional Chinese (Lunar). - - - - -**Settings/PageVisibilityList** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. - -

The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: - -

showonly:about;bluetooth - -

If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list. - -

The format of the PageVisibilityList value is as follows: - -- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. -- There are two variants: one that shows only the given pages and one which hides the given pages. -- The first variant starts with the string "showonly:" and the second with the string "hide:". -- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. -- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:wi-fi" would be just "wi-fi". - -

The default value for this setting is an empty string, which is interpreted as show everything. - -

Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden: - -

showonly:wi-fi;bluetooth - -

Example 2, specifies that the wifi page should not be shown: - -

hide:wifi - -

To validate on Desktop, do the following: - -1. Open System Settings and verfiy that the About page is visible and accessible. -2. Configure the policy with the following string: "hide:about". -3. Open System Settings again and verify that the About page is no longer accessible. - - - - -**SmartScreen/EnableAppInstallControl** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store. - -

The following list shows the supported values: - -- 0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. -- 1 – Turns on Application Installation Control, allowing users to only install apps from the Store. - - - - -**SmartScreen/EnableSmartScreenInShell** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows. - -

The following list shows the supported values: - -- 0 – Turns off SmartScreen in Windows. -- 1 – Turns on SmartScreen in Windows. - - - - -**SmartScreen/PreventOverrideForFilesInShell** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files. - -

The following list shows the supported values: - -- 0 – Employees can ignore SmartScreen warnings and run malicious files. -- 1 – Employees cannot ignore SmartScreen warnings and run malicious files. - - - - -**Speech/AllowSpeechModelUpdate** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
check mark1check mark1check mark1check mark1check mark1check mark1
- - - -

Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -**Start/AllowPinnedFolderDocuments** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu. - -

The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. - - - - -**Start/AllowPinnedFolderDownloads** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu. - -

The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. - - - - -**Start/AllowPinnedFolderFileExplorer** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu. - -

The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. - - - - -**Start/AllowPinnedFolderHomeGroup** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu. - -

The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. - - - - -**Start/AllowPinnedFolderMusic** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu. - -

The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. - - - - -**Start/AllowPinnedFolderNetwork** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu. - -

The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. - - - - -**Start/AllowPinnedFolderPersonalFolder** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu. - -

The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. - - - - -**Start/AllowPinnedFolderPictures** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu. - -

The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. - - - - -**Start/AllowPinnedFolderSettings** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu. - -

The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. - - - - -**Start/AllowPinnedFolderVideos** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu. - -

The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. - - - - -**Start/ForceStartSize** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - - -

Forces the start screen size. - -

The following list shows the supported values: - -- 0 (default) – Do not force size of Start. -- 1 – Force non-fullscreen size of Start. -- 2 - Force a fullscreen size of Start. - -

If there is policy configuration conflict, the latest configuration request is applied to the device. - - - - -**Start/HideAppList** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy requires reboot to take effect. - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list. - -

The following list shows the supported values: - -- 0 (default) – None. -- 1 – Hide all apps list. -- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app. -- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app. - -

To validate on Desktop, do the following: - -- 1 - Enable policy and restart explorer.exe -- 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle is not grayed out. -- 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out. -- 2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out. - - - - -**Start/HideChangeAccountSettings** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile. - -

The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - -

To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the user tile, and verify that "Change account settings" is not available. - - - - -**Start/HideFrequentlyUsedApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy requires reboot to take effect. - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps. - -

The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - -

To validate on Desktop, do the following: - -1. Enable "Show most used apps" in the Settings app. -2. Use some apps to get them into the most used group in Start. -3. Enable policy. -4. Restart explorer.exe -5. Check that "Show most used apps" Settings toggle is grayed out. -6. Check that most used apps do not appear in Start. - - - - -**Start/HideHibernate** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button. - -

The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - -

To validate on Laptop, do the following: - -1. Enable policy. -2. Open Start, click on the Power button, and verify "Hibernate" is not available. - -> [!NOTE] -> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's. - - - - -**Start/HideLock** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile. - -

The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - -

To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the user tile, and verify "Lock" is not available. - - - - -**Start/HidePowerButton** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy requires reboot to take effect. - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing. - -

The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - -

To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, and verify the power button is not available. - - - - -**Start/HideRecentJumplists** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy requires reboot to take effect. - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jumplists from appearing. - -

The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - -

To validate on Desktop, do the following: - -1. Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings. -2. Pin Photos to the taskbar, and open some images in the photos app. -3. Right click the pinned photos app and verify that a jumplist of recently opened items pops up. -4. Toggle "Show recently opened items in Jump Lists on Start of the taskbar" in Settings to clear jump lists. -5. Enable policy. -6. Restart explorer.exe -7. Check that Settings toggle is grayed out. -8. Repeat Step 2. -9. Right Click pinned photos app and verify that there is no jumplist of recent items. - - - - -**Start/HideRecentlyAddedApps** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy requires reboot to take effect. - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps. - -

The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - -

To validate on Desktop, do the following: - -1. Enable "Show recently added apps" in the Settings app. -2. Check if there are recently added apps in Start (if not, install some). -3. Enable policy. -4. Restart explorer.exe -5. Check that "Show recently added apps" Settings toggle is grayed out. -6. Check that recently added apps do not appear in Start. - - - - -**Start/HideRestart** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button. - -

The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - -

To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available. - - - - -**Start/HideShutDown** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button. - -

The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - -

To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available. - - - - -**Start/HideSignOut** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile. - -

The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - -

To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the user tile, and verify "Sign out" is not available. - - - - -**Start/HideSleep** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button. - -

The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - -

To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the Power button, and verify that "Sleep" is not available. - - - - -**Start/HideSwitchAccount** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile. - -

The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - -

To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the user tile, and verify that "Switch account" is not available. - - - - -**Start/HideUserTile** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy requires reboot to take effect. - -

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile. - -

The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - -

To validate on Desktop, do the following: - -1. Enable policy. -2. Log off. -3. Log in, and verify that the user tile is gone from Start. - - - - -**Start/ImportEdgeAssets** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> This policy requires reboot to take effect. - -

Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files. - -> [!IMPORTANT] -> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy. - -

The value set for this policy is an XML string containing Edge assets. An example XML string is provided in the [Microsoft Edge assets example](#microsoft-edge-assets-example) later in this topic. - -

To validate on Desktop, do the following: - -1. Set policy with an XML for Edge assets. -2. Set StartLayout policy to anything so that it would trigger the Edge assets import. -3. Sign out/in. -4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path. - - - - -**Start/NoPinningToTaskbar** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar. - -

The following list shows the supported values: - -- 0 (default) – False (pinning enabled). -- 1 - True (pinning disabled). - -

To validate on Desktop, do the following: - -1. Enable policy. -2. Right click on a program pinned to taskbar. -3. Verify that "Unpin from taskbar" menu does not show. -4. Open Start and right click on one of the app list icons. -5. Verify that More->Pin to taskbar menu does not show. - - - - -**Start/StartLayout** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcheck markcheck markcross markcross mark
- - - -> [!IMPORTANT] -> This node is set on a per-user basis and must be accessed using the following paths: -> - **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy. -> - **./User/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy. -> -> -> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis using the following paths: -> - **./Device/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy. -> - **./Device/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy. - - -

Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy - -

This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic. - - - - -**Storage/EnhancedStorageDevices** - - -This policy setting configures whether or not Windows will activate an Enhanced Storage device. - -If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. - -If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. - - - -ADMX Info: -- GP english name: *Do not allow Windows to activate Enhanced Storage devices* -- GP name: *TCGSecurityActivationDisabled* -- GP path: *System/Enhanced Storage Access* -- GP ADMX file name: *enhancedstorage.admx* - - - - -**System/AllowBuildPreview** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -> [!NOTE] -> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. - - -

This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. - -

If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. - -

The following list shows the supported values: - -- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. -- 1 – Allowed. Users can make their devices available for downloading and installing preview software. -- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. - - - - -**System/AllowEmbeddedMode** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether set general purpose device to be in embedded mode. - -

The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - -

Most restricted value is 0. - - - - -**System/AllowExperimentation** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -> [!NOTE] -> This policy is not supported in Windows 10, version 1607. - -

This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. - -

The following list shows the supported values: - -- 0 – Disabled. -- 1 (default) – Permits Microsoft to configure device settings only. -- 2 – Allows Microsoft to conduct full experimentations. - -

Most restricted value is 0. - - - - -**System/AllowFontProviders** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. - -

Supported values: - -- false - No traffic to fs.microsoft.com and only locally-installed fonts are available. -- true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. - -

This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). - -

This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content. - -> [!Note] -> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service. - -

To verify if System/AllowFontProviders is set to true: - -- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. - - - - -**System/AllowLocation** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether to allow app access to the Location service. - -

The following list shows the supported values: - -- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. -- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. -- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed. - -

Most restricted value is 0. - -

While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. - -

When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. - -

For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. - - - - -**System/AllowStorageCard** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. - -

The following list shows the supported values: - -- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. -- 1 (default) – Allow a storage card. - -

Most restricted value is 0. - - - - -**System/AllowTelemetry** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allow the device to send diagnostic and usage telemetry data, such as Watson. - -

The following tables describe the supported values: - - --- - - - - - - - - - - - - - - - - -
Windows 8.1 Values

0 – Not allowed.

-

1 – Allowed, except for Secondary Data Requests.

2 (default) – Allowed.

- - - --- - - - - - - - - - - - - - - - - - - - -
Windows 10 Values

0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.

-
-Note  This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. -
-

1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.

2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.

3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.

- - -> [!IMPORTANT] -> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. - - -

Most restricted value is 0. - - - - -**System/AllowUserToResetPhone** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed to reset to factory default settings. - -

Most restricted value is 0. - - - - -**System/BootStartDriverInitialization** - - -N/A - - - -ADMX Info: -- GP english name: *Boot-Start Driver Initialization Policy* -- GP name: *POL_DriverLoadPolicy_Name* -- GP path: *System/Early Launch Antimalware* -- GP ADMX file name: *earlylauncham.admx* - - - - -**System/DisableOneDriveFileSync** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: - -* Users cannot access OneDrive from the OneDrive app or file picker. -* Windows Store apps cannot access OneDrive using the WinRT API. -* OneDrive does not appear in the navigation pane in File Explorer. -* OneDrive files are not kept in sync with the cloud. -* Users cannot automatically upload photos and videos from the camera roll folder. - -

If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. - -

The following list shows the supported values: - -- 0 (default) – False (sync enabled). -- 1 – True (sync disabled). - -

To validate on Desktop, do the following: - -1. Enable policy. -2. Restart machine. -3. Verify that OneDrive.exe is not running in Task Manager. - - - - -**System/DisableSystemRestore** - - -Allows you to disable System Restore. - -This policy setting allows you to turn off System Restore. - -System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. - -If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. - -If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. - -Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. - - - -ADMX Info: -- GP english name: *Turn off System Restore* -- GP name: *SR_DisableSR* -- GP path: *System/System Restore* -- GP ADMX file name: *systemrestore.admx* - - - - -**System/TelemetryProxy** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. - -

If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. - - - - -**TextInput/AllowIMELogging** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - - -

Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**TextInput/AllowIMENetworkAccess** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - - -

Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**TextInput/AllowInputPanel** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - - -

Allows the IT admin to disable the touch/handwriting keyboard on Windows. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**TextInput/AllowJapaneseIMESurrogatePairCharacters** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - - -

Allows the Japanese IME surrogate pair characters. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**TextInput/AllowJapaneseIVSCharacters** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - - -

Allows Japanese Ideographic Variation Sequence (IVS) characters. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**TextInput/AllowJapaneseNonPublishingStandardGlyph** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - - -

Allows the Japanese non-publishing standard glyph. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**TextInput/AllowJapaneseUserDictionary** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - - -

Allows the Japanese user dictionary. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**TextInput/AllowKeyboardTextSuggestions** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - -

Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled. - -

The following list shows the supported values: - -- 0 – Disabled. -- 1 (default) – Enabled. - -

Most restricted value is 0. - -

To validate that text prediction is disabled on Windows 10 for desktop, do the following: - -1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button. -2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app. -3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool. - - - - -**TextInput/AllowKoreanExtendedHanja** - - -

This policy has been deprecated. - - - - -**TextInput/AllowLanguageFeaturesUninstall** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - - -

Allows the uninstall of language features, such as spell checkers, on a device. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**TextInput/ExcludeJapaneseIMEExceptJIS0208** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - - -

Allows the users to restrict character code range of conversion by setting the character filter. - -

The following list shows the supported values: - -- 0 (default) – No characters are filtered. -- 1 – All characters except JIS0208 are filtered. - - - - -**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - - -

Allows the users to restrict character code range of conversion by setting the character filter. - -

The following list shows the supported values: - -- 0 (default) – No characters are filtered. -- 1 – All characters except JIS0208 and EUDC are filtered. - - - - -**TextInput/ExcludeJapaneseIMEExceptShiftJIS** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - - -

Allows the users to restrict character code range of conversion by setting the character filter. - -

The following list shows the supported values: - -- 0 (default) – No characters are filtered. -- 1 – All characters except ShiftJIS are filtered. - - - - -**TimeLanguageSettings/AllowSet24HourClock** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcross markcross markcross markcross markcheck mark2check mark2
- - - -

Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting. - -

The following list shows the supported values: - -- 0 – Locale default setting. -- 1 (default) – Set 24 hour clock. - - - - -**Update/ActiveHoursEnd** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcheck mark1
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. - -> [!NOTE] -> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. - -

Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. - -

The default is 17 (5 PM). - - - - -**Update/ActiveHoursMaxRange** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. - -

Supported values are 8-18. - -

The default value is 18 (hours). - - - - -**Update/ActiveHoursStart** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcheck mark1
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. - -> [!NOTE] -> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. - -

Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. - -

The default value is 8 (8 AM). - - - - -**Update/AutoRestartDeadlinePeriodInDays** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcheck mark2
- - - -

Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory. - -

Supported values are 2-30 days. - -

The default value is 7 days. - - - - -**Update/AllowAutoUpdate** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcheck mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Enables the IT admin to manage automatic update behavior to scan, download, and install updates. - -

Supported operations are Get and Replace. - -

The following list shows the supported values: - -- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. -- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. -- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. -- 5 – Turn off automatic updates. - -> [!IMPORTANT] -> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. -  - -

If the policy is not configured, end-users get the default behavior (Auto install and restart). - - - - -**Update/AllowMUUpdateService** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -

Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. - -

The following list shows the supported values: - -- 0 – Not allowed or not configured. -- 1 – Allowed. Accepts updates received through Microsoft Update. - - - - -**Update/AllowNonMicrosoftSignedUpdate** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcheck mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. - -

Supported operations are Get and Replace. - -

The following list shows the supported values: - -- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. -- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. - -

This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. - - - - -**Update/AllowUpdateService** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcheck mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. - -

Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store - -

Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working. - -

The following list shows the supported values: - -- 0 – Update service is not allowed. -- 1 (default) – Update service is allowed. - -> [!NOTE] -> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. - - - - -**Update/AutoRestartNotificationSchedule** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. - -

Supported values are 15, 30, 60, 120, and 240 (minutes). - -

The default value is 15 (minutes). - - - - -**Update/AutoRestartRequiredNotificationDismissal** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. - -

The following list shows the supported values: - -- 1 (default) – Auto Dismissal. -- 2 – User Dismissal. - - - - -**Update/BranchReadinessLevel** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcheck mark1
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. - -

The following list shows the supported values: - -- 16 (default) – User gets all applicable upgrades from Current Branch (CB). -- 32 – User gets upgrades from Current Branch for Business (CBB). - - - - -**Update/DeferFeatureUpdatesPeriodInDays** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. - -

Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. - -

Supported values are 0-365 days. - -> [!IMPORTANT] -> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. - - - - -**Update/DeferQualityUpdatesPeriodInDays** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcheck mark1
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. - -

Supported values are 0-30. - - - - -**Update/DeferUpdatePeriod** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcheck mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. - - -

Allows IT Admins to specify update delays for up to 4 weeks. - -

Supported values are 0-4, which refers to the number of weeks to defer updates. - -

In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following: - -- Update/RequireDeferUpgrade must be set to 1 -- System/AllowTelemetry must be set to 1 or higher - -

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -

If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Update categoryMaximum deferralDeferral incrementUpdate type/notes

OS upgrade

8 months

1 month

Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5

Update

1 month

1 week

-Note -If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. -
-
    -
  • Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
    • -
  • Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
    • -
  • Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
    • -
  • Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
    • -
  • Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
    • -
  • Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
    • -
  • Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
    • -
  • Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
    • -

Other/cannot defer

No deferral

No deferral

Any update category not specifically enumerated above falls into this category.

-

Definition Update - E0789628-CE08-4437-BE74-2495B842F43B

- - - - -**Update/DeferUpgradePeriod** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcross mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -> -> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. - - -

Allows IT Admins to specify additional upgrade delays for up to 8 months. - -

Supported values are 0-8, which refers to the number of months to defer upgrades. - -

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -

If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - - -**Update/DetectionFrequency** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
- - - -

Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. - - - - -**Update/EngagedRestartDeadline** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). - -

Supported values are 2-30 days. - -

The default value is 0 days (not specified). - - - - -**Update/EngagedRestartSnoozeSchedule** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. - -

Supported values are 1-3 days. - -

The default value is 3 days. - - - - -**Update/EngagedRestartTransitionSchedule** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. - -

Supported values are 2-30 days. - -

The default value is 7 days. - - - - -**Update/ExcludeWUDriversInQualityUpdate** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. - -

Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. - -

The following list shows the supported values: - -- 0 (default) – Allow Windows Update drivers. -- 1 – Exclude Windows Update drivers. - - - - -**Update/FillEmptyContentUrls** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2cross markcheck mark2check mark2cross markcross mark
- - - -

Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). - -> [!NOTE] -> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. - -

The following list shows the supported values: - -- 0 (default) – Disabled. -- 1 – Enabled. - - - - -**Update/IgnoreMOAppDownloadLimit** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
- - - -

Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - -

The following list shows the supported values: - -- 0 (default) – Do not ignore MO download limit for apps and their updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. - -

To validate this policy: - -1. Enable the policy ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: - - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` - - - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` - -3. Verify that any downloads that are above the download size limit will complete without being paused. - - - - -**Update/IgnoreMOUpdateDownloadLimit** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
- - - -

Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - -

The following list shows the supported values: - -- 0 (default) – Do not ignore MO download limit for OS updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. - -

To validate this policy: - -1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: - - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` - -3. Verify that any downloads that are above the download size limit will complete without being paused. - - - - -**Update/PauseDeferrals** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcheck mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. - - -

Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. - -

The following list shows the supported values: - -- 0 (default) – Deferrals are not paused. -- 1 – Deferrals are paused. - -

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -

If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - - -**Update/PauseFeatureUpdates** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. - - -

Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. - -

The following list shows the supported values: - -- 0 (default) – Feature Updates are not paused. -- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. - - - - -**Update/PauseFeatureUpdatesStartTime** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcheck mark2
- - - -

Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. - -

Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - - -**Update/PauseQualityUpdates** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcheck mark1
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. - -

The following list shows the supported values: - -- 0 (default) – Quality Updates are not paused. -- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - - - - -**Update/PauseQualityUpdatesStartTime** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcheck mark2
- - - -

Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. - -

Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - - -**Update/RequireDeferUpgrade** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcheck mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. - - -

Allows the IT admin to set a device to CBB train. - -

The following list shows the supported values: - -- 0 (default) – User gets upgrades from Current Branch. -- 1 – User gets upgrades from Current Branch for Business. - - - - -**Update/RequireUpdateApproval** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcheck mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -
- -> [!NOTE] -> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. - - -

Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. - -

Supported operations are Get and Replace. - -

The following list shows the supported values: - -- 0 – Not configured. The device installs all applicable updates. -- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. - - - - -**Update/ScheduleImminentRestartWarning** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. - -

Supported values are 15, 30, or 60 (minutes). - -

The default value is 15 (minutes). - - - - -**Update/ScheduleRestartWarning** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. - -

Supported values are 2, 4, 8, 12, or 24 (hours). - -

The default value is 4 (hours). - - - - -**Update/ScheduledInstallDay** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcheck mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Enables the IT admin to schedule the day of the update installation. - -

The data type is a integer. - -

Supported operations are Add, Delete, Get, and Replace. - -

The following list shows the supported values: - -- 0 (default) – Every day -- 1 – Sunday -- 2 – Monday -- 3 – Tuesday -- 4 – Wednesday -- 5 – Thursday -- 6 – Friday -- 7 – Saturday - - - - -**Update/ScheduledInstallEveryWeek** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
- - - -

Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values: -

- - - - -**Update/ScheduledInstallFirstWeek** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
- - - -

Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values: -

- - - - -**Update/ScheduledInstallFourthWeek** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
- - - -

Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values: -

- - - - -**Update/ScheduledInstallSecondWeek** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
- - - -

Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values: -

- - - - -**Update/ScheduledInstallThirdWeek** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
- - - -

Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values: -

- - - - -**Update/ScheduledInstallTime** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcheck mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Enables the IT admin to schedule the time of the update installation. - -

The data type is a integer. - -

Supported operations are Add, Delete, Get, and Replace. - -

Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. - -

The default value is 3. - - - - -**Update/SetAutoRestartNotificationDisable** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcheck mark2
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -

Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. - -

The following list shows the supported values: - -- 0 (default) – Enabled -- 1 – Disabled - - - - -**Update/SetEDURestart** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
- - - -

Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. - -

The following list shows the supported values: - -- 0 - not configured -- 1 - configured - - - - -**Update/UpdateServiceUrl** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcross markcheck mark
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -> [!Important] -> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile. - -

Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet. - -

Supported operations are Get and Replace. - -

The following list shows the supported values: - -- Not configured. The device checks for updates from Microsoft Update. -- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. - -Example - -``` syntax - - $CmdID$ - - - chr - text/plain - - - ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl - - http://abcd-srv:8530 - - -``` - - - - -**Update/UpdateServiceUrlAlternate** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - -

Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. - -

This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. - -

To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. - -

Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. - -> [!Note] -> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. -> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. -> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. - - - - -**WiFi/AllowWiFiHotSpotReporting** - - -

This policy has been deprecated. - - - - -**Wifi/AllowAutoConnectToWiFiSenseHotspots** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allow or disallow the device to automatically connect to Wi-Fi hotspots. - -

The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -

Most restricted value is 0. - - - - -**Wifi/AllowInternetSharing** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allow or disallow internet sharing. - -

The following list shows the supported values: - -- 0 – Do not allow the use of Internet Sharing. -- 1 (default) – Allow the use of Internet Sharing. - -

Most restricted value is 0. - - - - -**Wifi/AllowManualWiFiConfiguration** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1check markcheck mark
- - - -

Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. - -

The following list shows the supported values: - -- 0 – No Wi-Fi connection outside of MDM provisioned network is allowed. -- 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed. - -

Most restricted value is 0. - -> [!NOTE] -> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted. - - - - -**Wifi/AllowWiFi** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1check markcheck mark
- - - -

Allow or disallow WiFi connection. - -

The following list shows the supported values: - -- 0 – WiFi connection is not allowed. -- 1 (default) – WiFi connection is allowed. - -

Most restricted value is 0. - - - - -**Wifi/AllowWiFiDirect** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. Allow WiFi Direct connection.. - -- 0 - WiFi Direct connection is not allowed. -- 1 - WiFi Direct connection is allowed. - - - - -**Wifi/WLANScanMode** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck markcheck markcheck markcheck markcheck mark
- - - -

Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. - -

Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency. - -

The default value is 0. - -

Supported operations are Add, Delete, Get, and Replace. - - - - -**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -

Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace. - -

Value type is bool. The following list shows the supported values: - -- 0 - app suggestions are not allowed. -- 1 (default) -allow app suggestions. - - - - -**WindowsInkWorkspace/AllowWindowsInkWorkspace** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -

Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace. - -

Value type is int. The following list shows the supported values: - -- 0 - access to ink workspace is disabled. The feature is turned off. -- 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. -- 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. - - - - -**WindowsLogon/DisableLockScreenAppNotifications** - - -This policy setting allows you to prevent app notifications from appearing on the lock screen. - -If you enable this policy setting, no app notifications are displayed on the lock screen. - -If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. - - - -ADMX Info: -- GP english name: *Turn off app notifications on the lock screen* -- GP name: *DisableLockScreenAppNotifications* -- GP path: *System/Logon* -- GP ADMX file name: *logon.admx* - - - - -**WindowsLogon/DontDisplayNetworkSelectionUI** - - -This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. - -If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. - -If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. - - - -ADMX Info: -- GP english name: *Do not display network selection UI* -- GP name: *DontDisplayNetworkSelectionUI* -- GP path: *System/Logon* -- GP ADMX file name: *logon.admx* - - - - -**WindowsLogon/HideFastUserSwitching** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2cross markcross mark
- - - -

Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. - -

Value type is bool. The following list shows the supported values: - -- 0 (default) - Diabled (visible). -- 1 - Enabled (hidden). - -

To validate on Desktop, do the following: - -1. Enable policy. -2. Verify that the Switch account button in Start is hidden. - - - - -**WirelessDisplay/AllowProjectionFromPC** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC. - -- 0 - your PC cannot discover or project to other devices. -- 1 - your PC can discover and project to other devices - - - - -**WirelessDisplay/AllowProjectionFromPCOverInfrastructure** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure. - -- 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct. -- 1 - your PC can discover and project to other devices over infrastructure. - - - - -**WirelessDisplay/AllowProjectionToPC** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -

Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC. - -

If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. - -

Value type is integer. Valid value: - -- 0 - projection to PC is not allowed. Always off and the user cannot enable it. -- 1 (default) - projection to PC is allowed. Enabled only above the lock screen. - - - - -**WirelessDisplay/AllowProjectionToPCOverInfrastructure** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -

Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure. - -- 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct. -- 1 - your PC is discoverable and other devices can project to it over infrastructure. - - - - -**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** - - -

Added in Windows 10, version 1703. - - - - -**WirelessDisplay/RequirePinForPairing** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark1check mark1check mark1cross markcross mark
- - - -

Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing. - -

If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. - -

Value type is integer. Valid value: - -- 0 (default) - PIN is not required. -- 1 - PIN is required. - - - -

- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. - - +## Policies + +### AboveLock policies + +
+
+ AboveLock/AllowActionCenterNotifications +
+
+ AboveLock/AllowCortanaAboveLock +
+
+ AboveLock/AllowToasts +
+
+ +### Accounts policies + +
+
+ Accounts/AllowAddingNonMicrosoftAccountsManually +
+
+ Accounts/AllowMicrosoftAccountConnection +
+
+ Accounts/AllowMicrosoftAccountSignInAssistant +
+
+ Accounts/DomainNamesForEmailSync +
+
+ +### ActiveXControls policies + +
+
+ ActiveXControls/ApprovedInstallationSites +
+
+ +### ApplicationDefaults policies + +
+
+ ApplicationDefaults/DefaultAssociationsConfiguration +
+
+ +### ApplicationManagement policies + +
+
+ ApplicationManagement/AllowAllTrustedApps +
+
+ ApplicationManagement/AllowAppStoreAutoUpdate +
+
+ ApplicationManagement/AllowDeveloperUnlock +
+
+ ApplicationManagement/AllowGameDVR +
+
+ ApplicationManagement/AllowSharedUserAppData +
+
+ ApplicationManagement/AllowStore +
+
+ ApplicationManagement/ApplicationRestrictions +
+
+ ApplicationManagement/DisableStoreOriginatedApps +
+
+ ApplicationManagement/RequirePrivateStoreOnly +
+
+ ApplicationManagement/RestrictAppDataToSystemVolume +
+
+ ApplicationManagement/RestrictAppToSystemVolume +
+
+ +### AppVirtualization policies + +
+
+ AppVirtualization/AllowAppVClient +
+
+ AppVirtualization/AllowDynamicVirtualization +
+
+ AppVirtualization/AllowPackageCleanup +
+
+ AppVirtualization/AllowPackageScripts +
+
+ AppVirtualization/AllowPublishingRefreshUX +
+
+ AppVirtualization/AllowReportingServer +
+
+ AppVirtualization/AllowRoamingFileExclusions +
+
+ AppVirtualization/AllowRoamingRegistryExclusions +
+
+ AppVirtualization/AllowStreamingAutoload +
+
+ AppVirtualization/ClientCoexistenceAllowMigrationmode +
+
+ AppVirtualization/IntegrationAllowRootGlobal +
+
+ AppVirtualization/IntegrationAllowRootUser +
+
+ AppVirtualization/PublishingAllowServer1 +
+
+ AppVirtualization/PublishingAllowServer2 +
+
+ AppVirtualization/PublishingAllowServer3 +
+
+ AppVirtualization/PublishingAllowServer4 +
+
+ AppVirtualization/PublishingAllowServer5 +
+
+ AppVirtualization/StreamingAllowCertificateFilterForClient_SSL +
+
+ AppVirtualization/StreamingAllowHighCostLaunch +
+
+ AppVirtualization/StreamingAllowLocationProvider +
+
+ AppVirtualization/StreamingAllowPackageInstallationRoot +
+
+ AppVirtualization/StreamingAllowPackageSourceRoot +
+
+ AppVirtualization/StreamingAllowReestablishmentInterval +
+
+ AppVirtualization/StreamingAllowReestablishmentRetries +
+
+ AppVirtualization/StreamingSharedContentStoreMode +
+
+ AppVirtualization/StreamingSupportBranchCache +
+
+ AppVirtualization/StreamingVerifyCertificateRevocationList +
+
+ AppVirtualization/VirtualComponentsAllowList +
+
+ +### AttachmentManager policies + +
+
+ AttachmentManager/DoNotPreserveZoneInformation +
+
+ AttachmentManager/HideZoneInfoMechanism +
+
+ AttachmentManager/NotifyAntivirusPrograms +
+
+ +### Authentication policies + +
+
+ Authentication/AllowEAPCertSSO +
+
+ Authentication/AllowFastReconnect +
+
+ Authentication/AllowSecondaryAuthenticationDevice +
+
+ +### Autoplay policies + +
+
+ Autoplay/DisallowAutoplayForNonVolumeDevices +
+
+ Autoplay/SetDefaultAutoRunBehavior +
+
+ Autoplay/TurnOffAutoPlay +
+
+ +### Bitlocker policies + +
+
+ Bitlocker/EncryptionMethod +
+
+ +### Bluetooth policies + +
+
+ Bluetooth/AllowAdvertising +
+
+ Bluetooth/AllowDiscoverableMode +
+
+ Bluetooth/AllowPrepairing +
+
+ Bluetooth/LocalDeviceName +
+
+ Bluetooth/ServicesAllowedList +
+
+ +### Browser policies + +
+
+ Browser/AllowAddressBarDropdown +
+
+ Browser/AllowAutofill +
+
+ Browser/AllowBrowser +
+
+ Browser/AllowCookies +
+
+ Browser/AllowDeveloperTools +
+
+ Browser/AllowDoNotTrack +
+
+ Browser/AllowExtensions +
+
+ Browser/AllowFlash +
+
+ Browser/AllowFlashClickToRun +
+
+ Browser/AllowInPrivate +
+
+ Browser/AllowMicrosoftCompatibilityList +
+
+ Browser/AllowPasswordManager +
+
+ Browser/AllowPopups +
+
+ Browser/AllowSearchEngineCustomization +
+
+ Browser/AllowSearchSuggestionsinAddressBar +
+
+ Browser/AllowSmartScreen +
+
+ Browser/ClearBrowsingDataOnExit +
+
+ Browser/ConfigureAdditionalSearchEngines +
+
+ Browser/DisableLockdownOfStartPages +
+
+ Browser/EnterpriseModeSiteList +
+
+ Browser/EnterpriseSiteListServiceUrl +
+
+ Browser/FirstRunURL +
+
+ Browser/HomePages +
+
+ Browser/PreventAccessToAboutFlagsInMicrosoftEdge +
+
+ Browser/PreventFirstRunPage +
+
+ Browser/PreventLiveTileDataCollection +
+
+ Browser/PreventSmartScreenPromptOverride +
+
+ Browser/PreventSmartScreenPromptOverrideForFiles +
+
+ Browser/PreventUsingLocalHostIPAddressForWebRTC +
+
+ Browser/SendIntranetTraffictoInternetExplorer +
+
+ Browser/SetDefaultSearchEngine +
+
+ Browser/ShowMessageWhenOpeningSitesInInternetExplorer +
+
+ Browser/SyncFavoritesBetweenIEAndMicrosoftEdge +
+
+ +### Camera policies + +
+
+ Camera/AllowCamera +
+
+ +### Cellular policies + +
+
+ Cellular/ShowAppCellularAccessUI +
+
+ +### Connectivity policies + +
+
+ Connectivity/AllowBluetooth +
+
+ Connectivity/AllowCellularData +
+
+ Connectivity/AllowCellularDataRoaming +
+
+ Connectivity/AllowConnectedDevices +
+
+ Connectivity/AllowNFC +
+
+ Connectivity/AllowUSBConnection +
+
+ Connectivity/AllowVPNOverCellular +
+
+ Connectivity/AllowVPNRoamingOverCellular +
+
+ Connectivity/DiablePrintingOverHTTP +
+
+ Connectivity/DisableDownloadingOfPrintDriversOverHTTP +
+
+ Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards +
+
+ Connectivity/HardenedUNCPaths +
+
+ Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge +
+
+ +### CredentialProviders policies + +
+
+ CredentialProviders/AllowPINLogon +
+
+ CredentialProviders/BlockPicturePassword +
+
+ CredentialProviders/EnableWindowsAutoPilotResetCredentials +
+
+ +### CredentialsUI policies + +
+
+ CredentialsUI/DisablePasswordReveal +
+
+ CredentialsUI/EnumerateAdministrators +
+
+ +### Cryptography policies + +
+
+ Cryptography/AllowFipsAlgorithmPolicy +
+
+ Cryptography/TLSCipherSuites +
+
+ +### DataProtection policies + +
+
+ DataProtection/AllowDirectMemoryAccess +
+
+ DataProtection/LegacySelectiveWipeID +
+
+ +### DataUsage policies + +
+
+ DataUsage/SetCost3G +
+
+ DataUsage/SetCost4G +
+
+ +### Defender policies + +
+
+ Defender/AllowArchiveScanning +
+
+ Defender/AllowBehaviorMonitoring +
+
+ Defender/AllowCloudProtection +
+
+ Defender/AllowEmailScanning +
+
+ Defender/AllowFullScanOnMappedNetworkDrives +
+
+ Defender/AllowFullScanRemovableDriveScanning +
+
+ Defender/AllowIOAVProtection +
+
+ Defender/AllowIntrusionPreventionSystem +
+
+ Defender/AllowOnAccessProtection +
+
+ Defender/AllowRealtimeMonitoring +
+
+ Defender/AllowScanningNetworkFiles +
+
+ Defender/AllowScriptScanning +
+
+ Defender/AllowUserUIAccess +
+
+ Defender/AttackSurfaceReductionOnlyExclusions +
+
+ Defender/AttackSurfaceReductionRules +
+
+ Defender/AvgCPULoadFactor +
+
+ Defender/CloudBlockLevel +
+
+ Defender/CloudExtendedTimeout +
+
+ Defender/DaysToRetainCleanedMalware +
+
+ Defender/EnableGuardMyFolders +
+
+ Defender/EnableNetworkProtection +
+
+ Defender/ExcludedExtensions +
+
+ Defender/ExcludedPaths +
+
+ Defender/ExcludedProcesses +
+
+ Defender/GuardedFoldersAllowedApplications +
+
+ Defender/GuardedFoldersList +
+
+ Defender/PUAProtection +
+
+ Defender/RealTimeScanDirection +
+
+ Defender/ScanParameter +
+
+ Defender/ScheduleQuickScanTime +
+
+ Defender/ScheduleScanDay +
+
+ Defender/ScheduleScanTime +
+
+ Defender/SignatureUpdateInterval +
+
+ Defender/SubmitSamplesConsent +
+
+ Defender/ThreatSeverityDefaultAction +
+
+ +### DeliveryOptimization policies + +
+
+ DeliveryOptimization/DOAbsoluteMaxCacheSize +
+
+ DeliveryOptimization/DOAllowVPNPeerCaching +
+
+ DeliveryOptimization/DODownloadMode +
+
+ DeliveryOptimization/DOGroupId +
+
+ DeliveryOptimization/DOMaxCacheAge +
+
+ DeliveryOptimization/DOMaxCacheSize +
+
+ DeliveryOptimization/DOMaxDownloadBandwidth +
+
+ DeliveryOptimization/DOMaxUploadBandwidth +
+
+ DeliveryOptimization/DOMinBackgroundQos +
+
+ DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload +
+
+ DeliveryOptimization/DOMinDiskSizeAllowedToPeer +
+
+ DeliveryOptimization/DOMinFileSizeToCache +
+
+ DeliveryOptimization/DOMinRAMAllowedToPeer +
+
+ DeliveryOptimization/DOModifyCacheDrive +
+
+ DeliveryOptimization/DOMonthlyUploadDataCap +
+
+ DeliveryOptimization/DOPercentageMaxDownloadBandwidth +
+
+ +### Desktop policies + +
+
+ Desktop/PreventUserRedirectionOfProfileFolders +
+
+ +### DeviceGuard policies + +
+
+ DeviceGuard/EnableVirtualizationBasedSecurity +
+
+ DeviceGuard/LsaCfgFlags +
+
+ DeviceGuard/RequirePlatformSecurityFeatures +
+
+ +### DeviceInstallation policies + +
+
+ DeviceInstallation/PreventInstallationOfMatchingDeviceIDs +
+
+ DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses +
+
+ +### DeviceLock policies + +
+
+ DeviceLock/AllowIdleReturnWithoutPassword +
+
+ DeviceLock/AllowScreenTimeoutWhileLockedUserConfig +
+
+ DeviceLock/AllowSimpleDevicePassword +
+
+ DeviceLock/AlphanumericDevicePasswordRequired +
+
+ DeviceLock/DevicePasswordEnabled +
+
+ DeviceLock/DevicePasswordExpiration +
+
+ DeviceLock/DevicePasswordHistory +
+
+ DeviceLock/EnforceLockScreenAndLogonImage +
+
+ DeviceLock/EnforceLockScreenProvider +
+
+ DeviceLock/MaxDevicePasswordFailedAttempts +
+
+ DeviceLock/MaxInactivityTimeDeviceLock +
+
+ DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay +
+
+ DeviceLock/MinDevicePasswordComplexCharacters +
+
+ DeviceLock/MinDevicePasswordLength +
+
+ DeviceLock/PreventLockScreenSlideShow +
+
+ DeviceLock/ScreenTimeoutWhileLocked +
+
+ +### Display policies + +
+
+ Display/TurnOffGdiDPIScalingForApps +
+
+ Display/TurnOnGdiDPIScalingForApps +
+
+ +### EnterpriseCloudPrint policies + +
+
+ EnterpriseCloudPrint/CloudPrintOAuthAuthority +
+
+ EnterpriseCloudPrint/CloudPrintOAuthClientId +
+
+ EnterpriseCloudPrint/CloudPrintResourceId +
+
+ EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint +
+
+ EnterpriseCloudPrint/DiscoveryMaxPrinterLimit +
+
+ EnterpriseCloudPrint/MopriaDiscoveryResourceId +
+
+ +### ErrorReporting policies + +
+
+ ErrorReporting/CustomizeConsentSettings +
+
+ ErrorReporting/DisableWindowsErrorReporting +
+
+ ErrorReporting/DisplayErrorNotification +
+
+ ErrorReporting/DoNotSendAdditionalData +
+
+ ErrorReporting/PreventCriticalErrorDisplay +
+
+ +### EventLogService policies + +
+
+ EventLogService/ControlEventLogBehavior +
+
+ EventLogService/SpecifyMaximumFileSizeApplicationLog +
+
+ EventLogService/SpecifyMaximumFileSizeSecurityLog +
+
+ EventLogService/SpecifyMaximumFileSizeSystemLog +
+
+ +### Experience policies + +
+
+ Experience/AllowCopyPaste +
+
+ Experience/AllowCortana +
+
+ Experience/AllowDeviceDiscovery +
+
+ Experience/AllowManualMDMUnenrollment +
+
+ Experience/AllowSIMErrorDialogPromptWhenNoSIM +
+
+ Experience/AllowScreenCapture +
+
+ Experience/AllowSyncMySettings +
+
+ Experience/AllowTailoredExperiencesWithDiagnosticData +
+
+ Experience/AllowTaskSwitcher +
+
+ Experience/AllowThirdPartySuggestionsInWindowsSpotlight +
+
+ Experience/AllowVoiceRecording +
+
+ Experience/AllowWindowsConsumerFeatures +
+
+ Experience/AllowWindowsSpotlight +
+
+ Experience/AllowWindowsSpotlightOnActionCenter +
+
+ Experience/AllowWindowsSpotlightWindowsWelcomeExperience +
+
+ Experience/AllowWindowsTips +
+
+ Experience/ConfigureWindowsSpotlightOnLockScreen +
+
+ Experience/DoNotShowFeedbackNotifications +
+
+ +### Games policies + +
+
+ Games/AllowAdvancedGamingServices +
+
+ +### InternetExplorer policies + +
+
+ InternetExplorer/AddSearchProvider +
+
+ InternetExplorer/AllowActiveXFiltering +
+
+ InternetExplorer/AllowAddOnList +
+
+ InternetExplorer/AllowAutoComplete +
+
+ InternetExplorer/AllowCertificateAddressMismatchWarning +
+
+ InternetExplorer/AllowDeletingBrowsingHistoryOnExit +
+
+ InternetExplorer/AllowEnhancedProtectedMode +
+
+ InternetExplorer/AllowEnterpriseModeFromToolsMenu +
+
+ InternetExplorer/AllowEnterpriseModeSiteList +
+
+ InternetExplorer/AllowFallbackToSSL3 +
+
+ InternetExplorer/AllowInternetExplorer7PolicyList +
+
+ InternetExplorer/AllowInternetExplorerStandardsMode +
+
+ InternetExplorer/AllowInternetZoneTemplate +
+
+ InternetExplorer/AllowIntranetZoneTemplate +
+
+ InternetExplorer/AllowLocalMachineZoneTemplate +
+
+ InternetExplorer/AllowLockedDownInternetZoneTemplate +
+
+ InternetExplorer/AllowLockedDownIntranetZoneTemplate +
+
+ InternetExplorer/AllowLockedDownLocalMachineZoneTemplate +
+
+ InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate +
+
+ InternetExplorer/AllowOneWordEntry +
+
+ InternetExplorer/AllowSiteToZoneAssignmentList +
+
+ InternetExplorer/AllowSoftwareWhenSignatureIsInvalid +
+
+ InternetExplorer/AllowSuggestedSites +
+
+ InternetExplorer/AllowTrustedSitesZoneTemplate +
+
+ InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate +
+
+ InternetExplorer/AllowsRestrictedSitesZoneTemplate +
+
+ InternetExplorer/CheckServerCertificateRevocation +
+
+ InternetExplorer/CheckSignaturesOnDownloadedPrograms +
+
+ InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses +
+
+ InternetExplorer/DisableAdobeFlash +
+
+ InternetExplorer/DisableBlockingOfOutdatedActiveXControls +
+
+ InternetExplorer/DisableBypassOfSmartScreenWarnings +
+
+ InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles +
+
+ InternetExplorer/DisableConfiguringHistory +
+
+ InternetExplorer/DisableCrashDetection +
+
+ InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation +
+
+ InternetExplorer/DisableDeletingUserVisitedWebsites +
+
+ InternetExplorer/DisableEnclosureDownloading +
+
+ InternetExplorer/DisableEncryptionSupport +
+
+ InternetExplorer/DisableFirstRunWizard +
+
+ InternetExplorer/DisableFlipAheadFeature +
+
+ InternetExplorer/DisableHomePageChange +
+
+ InternetExplorer/DisableIgnoringCertificateErrors +
+
+ InternetExplorer/DisableInPrivateBrowsing +
+
+ InternetExplorer/DisableProcessesInEnhancedProtectedMode +
+
+ InternetExplorer/DisableProxyChange +
+
+ InternetExplorer/DisableSearchProviderChange +
+
+ InternetExplorer/DisableSecondaryHomePageChange +
+
+ InternetExplorer/DisableSecuritySettingsCheck +
+
+ InternetExplorer/DisableUpdateCheck +
+
+ InternetExplorer/DoNotAllowActiveXControlsInProtectedMode +
+
+ InternetExplorer/DoNotAllowUsersToAddSites +
+
+ InternetExplorer/DoNotAllowUsersToChangePolicies +
+
+ InternetExplorer/DoNotBlockOutdatedActiveXControls +
+
+ InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains +
+
+ InternetExplorer/IncludeAllLocalSites +
+
+ InternetExplorer/IncludeAllNetworkPaths +
+
+ InternetExplorer/InternetZoneAllowAccessToDataSources +
+
+ InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls +
+
+ InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads +
+
+ InternetExplorer/InternetZoneAllowCopyPasteViaScript +
+
+ InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles +
+
+ InternetExplorer/InternetZoneAllowFontDownloads +
+
+ InternetExplorer/InternetZoneAllowLessPrivilegedSites +
+
+ InternetExplorer/InternetZoneAllowLoadingOfXAMLFilesWRONG +
+
+ InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents +
+
+ InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls +
+
+ InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +
+
+ InternetExplorer/InternetZoneAllowScriptInitiatedWindows +
+
+ InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls +
+
+ InternetExplorer/InternetZoneAllowScriptlets +
+
+ InternetExplorer/InternetZoneAllowSmartScreenIE +
+
+ InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript +
+
+ InternetExplorer/InternetZoneAllowUserDataPersistence +
+
+ InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1 +
+
+ InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2 +
+
+ InternetExplorer/InternetZoneDownloadSignedActiveXControls +
+
+ InternetExplorer/InternetZoneDownloadUnsignedActiveXControls +
+
+ InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter +
+
+ InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +
+
+ InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +
+
+ InternetExplorer/InternetZoneEnableMIMESniffing +
+
+ InternetExplorer/InternetZoneEnableProtectedMode +
+
+ InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer +
+
+ InternetExplorer/InternetZoneInitializeAndScriptActiveXControls +
+
+ InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe +
+
+ InternetExplorer/InternetZoneJavaPermissionsWRONG1 +
+
+ InternetExplorer/InternetZoneJavaPermissionsWRONG2 +
+
+ InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME +
+
+ InternetExplorer/InternetZoneLogonOptions +
+
+ InternetExplorer/InternetZoneNavigateWindowsAndFrames +
+
+ InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode +
+
+ InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +
+
+ InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles +
+
+ InternetExplorer/InternetZoneUsePopupBlocker +
+
+ InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone +
+
+ InternetExplorer/IntranetZoneAllowAccessToDataSources +
+
+ InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls +
+
+ InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads +
+
+ InternetExplorer/IntranetZoneAllowFontDownloads +
+
+ InternetExplorer/IntranetZoneAllowLessPrivilegedSites +
+
+ InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents +
+
+ InternetExplorer/IntranetZoneAllowScriptlets +
+
+ InternetExplorer/IntranetZoneAllowSmartScreenIE +
+
+ InternetExplorer/IntranetZoneAllowUserDataPersistence +
+
+ InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls +
+
+ InternetExplorer/IntranetZoneNavigateWindowsAndFrames +
+
+ InternetExplorer/LocalMachineZoneAllowAccessToDataSources +
+
+ InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls +
+
+ InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads +
+
+ InternetExplorer/LocalMachineZoneAllowFontDownloads +
+
+ InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites +
+
+ InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents +
+
+ InternetExplorer/LocalMachineZoneAllowScriptlets +
+
+ InternetExplorer/LocalMachineZoneAllowSmartScreenIE +
+
+ InternetExplorer/LocalMachineZoneAllowUserDataPersistence +
+
+ InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls +
+
+ InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls +
+
+ InternetExplorer/LocalMachineZoneJavaPermissions +
+
+ InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames +
+
+ InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources +
+
+ InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls +
+
+ InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads +
+
+ InternetExplorer/LockedDownInternetZoneAllowFontDownloads +
+
+ InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites +
+
+ InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents +
+
+ InternetExplorer/LockedDownInternetZoneAllowScriptlets +
+
+ InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE +
+
+ InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence +
+
+ InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls +
+
+ InternetExplorer/LockedDownInternetZoneJavaPermissions +
+
+ InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames +
+
+ InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources +
+
+ InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls +
+
+ InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads +
+
+ InternetExplorer/LockedDownIntranetZoneAllowFontDownloads +
+
+ InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites +
+
+ InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents +
+
+ InternetExplorer/LockedDownIntranetZoneAllowScriptlets +
+
+ InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE +
+
+ InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence +
+
+ InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls +
+
+ InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames +
+
+ InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources +
+
+ InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls +
+
+ InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads +
+
+ InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads +
+
+ InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites +
+
+ InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents +
+
+ InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets +
+
+ InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE +
+
+ InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence +
+
+ InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls +
+
+ InternetExplorer/LockedDownLocalMachineZoneJavaPermissions +
+
+ InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames +
+
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources +
+
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +
+
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +
+
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads +
+
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites +
+
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents +
+
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets +
+
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE +
+
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence +
+
+ InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls +
+
+ InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions +
+
+ InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames +
+
+ InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources +
+
+ InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls +
+
+ InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads +
+
+ InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads +
+
+ InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites +
+
+ InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents +
+
+ InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets +
+
+ InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE +
+
+ InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence +
+
+ InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls +
+
+ InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions +
+
+ InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames +
+
+ InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses +
+
+ InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses +
+
+ InternetExplorer/NotificationBarInternetExplorerProcesses +
+
+ InternetExplorer/PreventManagingSmartScreenFilter +
+
+ InternetExplorer/PreventPerUserInstallationOfActiveXControls +
+
+ InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses +
+
+ InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls +
+
+ InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses +
+
+ InternetExplorer/RestrictFileDownloadInternetExplorerProcesses +
+
+ InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources +
+
+ InternetExplorer/RestrictedSitesZoneAllowActiveScripting +
+
+ InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +
+
+ InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +
+
+ InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors +
+
+ InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript +
+
+ InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles +
+
+ InternetExplorer/RestrictedSitesZoneAllowFileDownloads +
+
+ InternetExplorer/RestrictedSitesZoneAllowFontDownloads +
+
+ InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG1 +
+
+ InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG2 +
+
+ InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites +
+
+ InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles +
+
+ InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH +
+
+ InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents +
+
+ InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls +
+
+ InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +
+
+ InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows +
+
+ InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls +
+
+ InternetExplorer/RestrictedSitesZoneAllowScriptlets +
+
+ InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE +
+
+ InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript +
+
+ InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence +
+
+ InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls +
+
+ InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls +
+
+ InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls +
+
+ InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +
+
+ InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +
+
+ InternetExplorer/RestrictedSitesZoneEnableMIMESniffing +
+
+ InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer +
+
+ InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls +
+
+ InternetExplorer/RestrictedSitesZoneJavaPermissions +
+
+ InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME +
+
+ InternetExplorer/RestrictedSitesZoneLogonOptions +
+
+ InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames +
+
+ InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains +
+
+ InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins +
+
+ InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +
+
+ InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting +
+
+ InternetExplorer/RestrictedSitesZoneWRONG +
+
+ InternetExplorer/RestrictedSitesZoneWRONG2 +
+
+ InternetExplorer/RestrictedSitesZoneWRONG3 +
+
+ InternetExplorer/RestrictedSitesZoneWRONG4 +
+
+ InternetExplorer/RestrictedSitesZoneWRONG5 +
+
+ InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses +
+
+ InternetExplorer/SearchProviderList +
+
+ InternetExplorer/SecurityZonesUseOnlyMachineSettings +
+
+ InternetExplorer/SpecifyUseOfActiveXInstallerService +
+
+ InternetExplorer/TrustedSitesZoneAllowAccessToDataSources +
+
+ InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls +
+
+ InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads +
+
+ InternetExplorer/TrustedSitesZoneAllowFontDownloads +
+
+ InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites +
+
+ InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents +
+
+ InternetExplorer/TrustedSitesZoneAllowScriptlets +
+
+ InternetExplorer/TrustedSitesZoneAllowSmartScreenIE +
+
+ InternetExplorer/TrustedSitesZoneAllowUserDataPersistence +
+
+ InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls +
+
+ InternetExplorer/TrustedSitesZoneJavaPermissions +
+
+ InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames +
+
+ InternetExplorer/TrustedSitesZoneWRONG1 +
+
+ InternetExplorer/TrustedSitesZoneWRONG2 +
+
+ +### Kerberos policies + +
+
+ Kerberos/AllowForestSearchOrder +
+
+ Kerberos/KerberosClientSupportsClaimsCompoundArmor +
+
+ Kerberos/RequireKerberosArmoring +
+
+ Kerberos/RequireStrictKDCValidation +
+
+ Kerberos/SetMaximumContextTokenSize +
+
+ +### Licensing policies + +
+
+ Licensing/AllowWindowsEntitlementReactivation +
+
+ Licensing/DisallowKMSClientOnlineAVSValidation +
+
+ +### Location policies + +
+
+ Location/EnableLocation +
+
+ +### LockDown policies + +
+
+ LockDown/AllowEdgeSwipe +
+
+ +### Maps policies + +
+
+ Maps/AllowOfflineMapsDownloadOverMeteredConnection +
+
+ Maps/EnableOfflineMapsAutoUpdate +
+
+ +### Messaging policies + +
+
+ Messaging/AllowMMS +
+
+ Messaging/AllowMessageSync +
+
+ Messaging/AllowRCS +
+
+ +### NetworkIsolation policies + +
+
+ NetworkIsolation/EnterpriseCloudResources +
+
+ NetworkIsolation/EnterpriseIPRange +
+
+ NetworkIsolation/EnterpriseIPRangesAreAuthoritative +
+
+ NetworkIsolation/EnterpriseInternalProxyServers +
+
+ NetworkIsolation/EnterpriseNetworkDomainNames +
+
+ NetworkIsolation/EnterpriseProxyServers +
+
+ NetworkIsolation/EnterpriseProxyServersAreAuthoritative +
+
+ NetworkIsolation/NeutralResources +
+
+ +### Notifications policies + +
+
+ Notifications/DisallowNotificationMirroring +
+
+ +### Power policies + +
+
+ Power/AllowStandbyWhenSleepingPluggedIn +
+
+ Power/DisplayOffTimeoutOnBattery +
+
+ Power/DisplayOffTimeoutPluggedIn +
+
+ Power/HibernateTimeoutOnBattery +
+
+ Power/HibernateTimeoutPluggedIn +
+
+ Power/RequirePasswordWhenComputerWakesOnBattery +
+
+ Power/RequirePasswordWhenComputerWakesPluggedIn +
+
+ Power/StandbyTimeoutOnBattery +
+
+ Power/StandbyTimeoutPluggedIn +
+
+ +### Printers policies + +
+
+ Printers/PointAndPrintRestrictions +
+
+ Printers/PointAndPrintRestrictions_User +
+
+ Printers/PublishPrinters +
+
+ +### Privacy policies + +
+
+ Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts +
+
+ Privacy/AllowInputPersonalization +
+
+ Privacy/DisableAdvertisingId +
+
+ Privacy/LetAppsAccessAccountInfo +
+
+ Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessCalendar +
+
+ Privacy/LetAppsAccessCalendar_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessCalendar_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessCallHistory +
+
+ Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessCamera +
+
+ Privacy/LetAppsAccessCamera_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessCamera_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessCamera_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessContacts +
+
+ Privacy/LetAppsAccessContacts_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessContacts_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessContacts_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessEmail +
+
+ Privacy/LetAppsAccessEmail_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessEmail_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessEmail_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessLocation +
+
+ Privacy/LetAppsAccessLocation_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessLocation_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessLocation_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessMessaging +
+
+ Privacy/LetAppsAccessMessaging_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessMessaging_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessMicrophone +
+
+ Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessMotion +
+
+ Privacy/LetAppsAccessMotion_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessMotion_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessMotion_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessNotifications +
+
+ Privacy/LetAppsAccessNotifications_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessNotifications_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessPhone +
+
+ Privacy/LetAppsAccessPhone_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessPhone_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessPhone_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessRadios +
+
+ Privacy/LetAppsAccessRadios_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessRadios_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessRadios_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessTasks +
+
+ Privacy/LetAppsAccessTasks_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessTasks_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessTasks_UserInControlOfTheseApps +
+
+ Privacy/LetAppsAccessTrustedDevices +
+
+ Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps +
+
+ Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps +
+
+ Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps +
+
+ Privacy/LetAppsGetDiagnosticInfo +
+
+ Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps +
+
+ Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps +
+
+ Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps +
+
+ Privacy/LetAppsRunInBackground +
+
+ Privacy/LetAppsRunInBackground_ForceAllowTheseApps +
+
+ Privacy/LetAppsRunInBackground_ForceDenyTheseApps +
+
+ Privacy/LetAppsRunInBackground_UserInControlOfTheseApps +
+
+ Privacy/LetAppsSyncWithDevices +
+
+ Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps +
+
+ Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps +
+
+ Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps +
+
+ +### RemoteAssistance policies + +
+
+ RemoteAssistance/CustomizeWarningMessages +
+
+ RemoteAssistance/SessionLogging +
+
+ RemoteAssistance/SolicitedRemoteAssistance +
+
+ RemoteAssistance/UnsolicitedRemoteAssistance +
+
+ +### RemoteDesktopServices policies + +
+
+ RemoteDesktopServices/AllowUsersToConnectRemotely +
+
+ RemoteDesktopServices/ClientConnectionEncryptionLevel +
+
+ RemoteDesktopServices/DoNotAllowDriveRedirection +
+
+ RemoteDesktopServices/DoNotAllowPasswordSaving +
+
+ RemoteDesktopServices/PromptForPasswordUponConnection +
+
+ RemoteDesktopServices/RequireSecureRPCCommunication +
+
+ +### RemoteManagement policies + +
+
+ RemoteManagement/AllowBasicAuthentication_Client +
+
+ RemoteManagement/AllowBasicAuthentication_Service +
+
+ RemoteManagement/AllowCredSSPAuthenticationClient +
+
+ RemoteManagement/AllowCredSSPAuthenticationService +
+
+ RemoteManagement/AllowRemoteServerManagement +
+
+ RemoteManagement/AllowUnencryptedTraffic_Client +
+
+ RemoteManagement/AllowUnencryptedTraffic_Service +
+
+ RemoteManagement/DisallowDigestAuthentication +
+
+ RemoteManagement/DisallowNegotiateAuthenticationClient +
+
+ RemoteManagement/DisallowNegotiateAuthenticationService +
+
+ RemoteManagement/DisallowStoringOfRunAsCredentials +
+
+ RemoteManagement/SpecifyChannelBindingTokenHardeningLevel +
+
+ RemoteManagement/TrustedHosts +
+
+ RemoteManagement/TurnOnCompatibilityHTTPListener +
+
+ RemoteManagement/TurnOnCompatibilityHTTPSListener +
+
+ +### RemoteProcedureCall policies + +
+
+ RemoteProcedureCall/RPCEndpointMapperClientAuthentication +
+
+ RemoteProcedureCall/RestrictUnauthenticatedRPCClients +
+
+ +### RemoteShell policies + +
+
+ RemoteShell/AllowRemoteShellAccess +
+
+ RemoteShell/MaxConcurrentUsers +
+
+ RemoteShell/SpecifyIdleTimeout +
+
+ RemoteShell/SpecifyMaxMemory +
+
+ RemoteShell/SpecifyMaxProcesses +
+
+ RemoteShell/SpecifyMaxRemoteShells +
+
+ RemoteShell/SpecifyShellTimeout +
+
+ +### Search policies + +
+
+ Search/AllowIndexingEncryptedStoresOrItems +
+
+ Search/AllowSearchToUseLocation +
+
+ Search/AllowUsingDiacritics +
+
+ Search/AlwaysUseAutoLangDetection +
+
+ Search/DisableBackoff +
+
+ Search/DisableRemovableDriveIndexing +
+
+ Search/PreventIndexingLowDiskSpaceMB +
+
+ Search/PreventRemoteQueries +
+
+ Search/SafeSearchPermissions +
+
+ +### Security policies + +
+
+ Security/AllowAddProvisioningPackage +
+
+ Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices +
+
+ Security/AllowManualRootCertificateInstallation +
+
+ Security/AllowRemoveProvisioningPackage +
+
+ Security/AntiTheftMode +
+
+ Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices +
+
+ Security/RequireDeviceEncryption +
+
+ Security/RequireProvisioningPackageSignature +
+
+ Security/RequireRetrieveHealthCertificateOnBoot +
+
+ +### Settings policies + +
+
+ Settings/AllowAutoPlay +
+
+ Settings/AllowDataSense +
+
+ Settings/AllowDateTime +
+
+ Settings/AllowEditDeviceName +
+
+ Settings/AllowLanguage +
+
+ Settings/AllowPowerSleep +
+
+ Settings/AllowRegion +
+
+ Settings/AllowSignInOptions +
+
+ Settings/AllowVPN +
+
+ Settings/AllowWorkplace +
+
+ Settings/AllowYourAccount +
+
+ Settings/ConfigureTaskbarCalendar +
+
+ Settings/PageVisibilityList +
+
+ +### SmartScreen policies + +
+
+ SmartScreen/EnableAppInstallControl +
+
+ SmartScreen/EnableSmartScreenInShell +
+
+ SmartScreen/PreventOverrideForFilesInShell +
+
+ +### Speech policies + +
+
+ Speech/AllowSpeechModelUpdate +
+
+ +### Start policies + +
+
+ Start/AllowPinnedFolderDocuments +
+
+ Start/AllowPinnedFolderDownloads +
+
+ Start/AllowPinnedFolderFileExplorer +
+
+ Start/AllowPinnedFolderHomeGroup +
+
+ Start/AllowPinnedFolderMusic +
+
+ Start/AllowPinnedFolderNetwork +
+
+ Start/AllowPinnedFolderPersonalFolder +
+
+ Start/AllowPinnedFolderPictures +
+
+ Start/AllowPinnedFolderSettings +
+
+ Start/AllowPinnedFolderVideos +
+
+ Start/ForceStartSize +
+
+ Start/HideAppList +
+
+ Start/HideChangeAccountSettings +
+
+ Start/HideFrequentlyUsedApps +
+
+ Start/HideHibernate +
+
+ Start/HideLock +
+
+ Start/HidePowerButton +
+
+ Start/HideRecentJumplists +
+
+ Start/HideRecentlyAddedApps +
+
+ Start/HideRestart +
+
+ Start/HideShutDown +
+
+ Start/HideSignOut +
+
+ Start/HideSleep +
+
+ Start/HideSwitchAccount +
+
+ Start/HideUserTile +
+
+ Start/ImportEdgeAssets +
+
+ Start/NoPinningToTaskbar +
+
+ Start/StartLayout +
+
+ +### Storage policies + +
+
+ Storage/EnhancedStorageDevices +
+
+ +### System policies + +
+
+ System/AllowBuildPreview +
+
+ System/AllowEmbeddedMode +
+
+ System/AllowExperimentation +
+
+ System/AllowFontProviders +
+
+ System/AllowLocation +
+
+ System/AllowStorageCard +
+
+ System/AllowTelemetry +
+
+ System/AllowUserToResetPhone +
+
+ System/BootStartDriverInitialization +
+
+ System/DisableOneDriveFileSync +
+
+ System/DisableSystemRestore +
+
+ System/TelemetryProxy +
+
+ +### TextInput policies + +
+
+ TextInput/AllowIMELogging +
+
+ TextInput/AllowIMENetworkAccess +
+
+ TextInput/AllowInputPanel +
+
+ TextInput/AllowJapaneseIMESurrogatePairCharacters +
+
+ TextInput/AllowJapaneseIVSCharacters +
+
+ TextInput/AllowJapaneseNonPublishingStandardGlyph +
+
+ TextInput/AllowJapaneseUserDictionary +
+
+ TextInput/AllowKeyboardTextSuggestions +
+
+ TextInput/AllowKoreanExtendedHanja +
+
+ TextInput/AllowLanguageFeaturesUninstall +
+
+ TextInput/ExcludeJapaneseIMEExceptJIS0208 +
+
+ TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC +
+
+ TextInput/ExcludeJapaneseIMEExceptShiftJIS +
+
+ +### TimeLanguageSettings policies + +
+
+ TimeLanguageSettings/AllowSet24HourClock +
+
+ +### Update policies + +
+
+ Update/ActiveHoursEnd +
+
+ Update/ActiveHoursMaxRange +
+
+ Update/ActiveHoursStart +
+
+ Update/AllowAutoUpdate +
+
+ Update/AllowMUUpdateService +
+
+ Update/AllowNonMicrosoftSignedUpdate +
+
+ Update/AllowUpdateService +
+
+ Update/AutoRestartDeadlinePeriodInDays +
+
+ Update/AutoRestartNotificationSchedule +
+
+ Update/AutoRestartRequiredNotificationDismissal +
+
+ Update/BranchReadinessLevel +
+
+ Update/DeferFeatureUpdatesPeriodInDays +
+
+ Update/DeferQualityUpdatesPeriodInDays +
+
+ Update/DeferUpdatePeriod +
+
+ Update/DeferUpgradePeriod +
+
+ Update/DetectionFrequency +
+
+ Update/EngagedRestartDeadline +
+
+ Update/EngagedRestartSnoozeSchedule +
+
+ Update/EngagedRestartTransitionSchedule +
+
+ Update/ExcludeWUDriversInQualityUpdate +
+
+ Update/FillEmptyContentUrls +
+
+ Update/IgnoreMOAppDownloadLimit +
+
+ Update/IgnoreMOUpdateDownloadLimit +
+
+ Update/PauseDeferrals +
+
+ Update/PauseFeatureUpdates +
+
+ Update/PauseFeatureUpdatesStartTime +
+
+ Update/PauseQualityUpdates +
+
+ Update/PauseQualityUpdatesStartTime +
+
+ Update/RequireDeferUpgrade +
+
+ Update/RequireUpdateApproval +
+
+ Update/ScheduleImminentRestartWarning +
+
+ Update/ScheduleRestartWarning +
+
+ Update/ScheduledInstallDay +
+
+ Update/ScheduledInstallEveryWeek +
+
+ Update/ScheduledInstallFirstWeek +
+
+ Update/ScheduledInstallFourthWeek +
+
+ Update/ScheduledInstallSecondWeek +
+
+ Update/ScheduledInstallThirdWeek +
+
+ Update/ScheduledInstallTime +
+
+ Update/SetAutoRestartNotificationDisable +
+
+ Update/SetEDURestart +
+
+ Update/UpdateServiceUrl +
+
+ Update/UpdateServiceUrlAlternate +
+
+ +### Wifi policies + +
+
+ WiFi/AllowWiFiHotSpotReporting +
+
+ Wifi/AllowAutoConnectToWiFiSenseHotspots +
+
+ Wifi/AllowInternetSharing +
+
+ Wifi/AllowManualWiFiConfiguration +
+
+ Wifi/AllowWiFi +
+
+ Wifi/AllowWiFiDirect +
+
+ Wifi/WLANScanMode +
+
+ +### WindowsInkWorkspace policies + +
+
+ WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace +
+
+ WindowsInkWorkspace/AllowWindowsInkWorkspace +
+
+ +### WindowsLogon policies + +
+
+ WindowsLogon/DisableLockScreenAppNotifications +
+
+ WindowsLogon/DontDisplayNetworkSelectionUI +
+
+ WindowsLogon/HideFastUserSwitching +
+
+ +### WirelessDisplay policies + +
+
+ WirelessDisplay/AllowProjectionFromPC +
+
+ WirelessDisplay/AllowProjectionFromPCOverInfrastructure +
+
+ WirelessDisplay/AllowProjectionToPC +
+
+ WirelessDisplay/AllowProjectionToPCOverInfrastructure +
+
+ WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver +
+
+ WirelessDisplay/RequirePinForPairing +
+
+ + +## ADMX backed policies + +- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) +- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) +- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) +- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) +- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) +- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) +- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) +- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) +- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) +- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) +- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) +- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) +- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) +- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) +- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) +- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) +- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) +- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) +- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient_ssl) +- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) +- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) +- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) +- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) +- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) +- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) +- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) +- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) +- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) +- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) +- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) +- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) +- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) +- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) +- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) +- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) +- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#None) +- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#None) +- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#None) +- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#None) +- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) +- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#None) +- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) +- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) +- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) +- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) +- [DataUsage/SetCost3G](./policy-csp-datausage.md#datausage-setcost3g) +- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) +- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) +- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) +- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) +- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) +- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) +- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) +- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) +- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) +- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) +- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) +- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) +- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) +- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) +- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) +- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) +- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) +- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) +- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) +- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) +- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) +- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) +- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) +- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) +- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) +- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) +- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) +- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) +- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) +- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) +- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) +- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) +- [InternetExplorer/DisableBlockingOfOutdatedActiveXControls](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) +- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) +- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) +- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) +- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) +- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) +- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) +- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) +- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) +- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) +- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) +- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) +- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) +- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) +- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) +- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) +- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) +- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) +- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) +- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) +- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFilesWRONG](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) +- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) +- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) +- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneJavaPermissionsWRONG1](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneJavaPermissionsWRONG2](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) +- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) +- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) +- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) +- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) +- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) +- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) +- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) +- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) +- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) +- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) +- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) +- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) +- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) +- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) +- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) +- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) +- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) +- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG1](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG2](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) +- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneWRONG](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneWRONG2](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneWRONG3](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneWRONG4](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/RestrictedSitesZoneWRONG5](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) +- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) +- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) +- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) +- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) +- [InternetExplorer/TrustedSitesZoneWRONG1](./policy-csp-internetexplorer.md#None) +- [InternetExplorer/TrustedSitesZoneWRONG2](./policy-csp-internetexplorer.md#None) +- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) +- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) +- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) +- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) +- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) +- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) +- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) +- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) +- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) +- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) +- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions_user) +- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) +- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) +- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) +- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) +- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) +- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) +- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) +- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) +- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) +- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) +- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) +- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#None) +- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#None) +- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) +- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) +- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#None) +- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#None) +- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#None) +- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#None) +- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#None) +- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#None) +- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#None) +- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) +- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) +- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) +- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) +- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) -## Policies Supported by IoT Core +## Policies supported by IoT Core - [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) - [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) @@ -21567,6 +3160,9 @@ Footnote: - [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) - [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) - [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) +- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths) +- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon) +- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword) - [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) - [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) - [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) @@ -21599,27 +3195,27 @@ Footnote: -## Policies supported by Windows Holographic for Business +## Policies supported by Windows Holographic for Business -- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection) -- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -- [Experience/AllowCortana](#experience-allowcortana) -- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) +- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) +- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) +- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +- [Browser/AllowCookies](#browser-allowcookies) +- [Browser/AllowDoNotTrack](#browser-allowdonottrack) +- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) +- [Browser/AllowPopups](#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](#browser-allowsmartscreen) +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword) +- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) +- [Experience/AllowCortana](#experience-allowcortana) +- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) - [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) - [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) - [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) @@ -21629,94 +3225,95 @@ Footnote: - [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) - [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) - [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) +- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) +- [Settings/AllowDateTime](#settings-allowdatetime) +- [Settings/AllowVPN](#settings-allowvpn) - [System/AllowFontProviders](#system-allowfontproviders) -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) -- [Settings/AllowDateTime](#settings-allowdatetime) -- [Settings/AllowVPN](#settings-allowvpn) -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/UpdateServiceUrl](#update-updateserviceurl) +- [System/AllowLocation](#system-allowlocation) +- [System/AllowTelemetry](#system-allowtelemetry) +- [Update/AllowAutoUpdate](#update-allowautoupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) +- [Update/RequireUpdateApproval](#update-requireupdateapproval) +- [Update/UpdateServiceUrl](#update-updateserviceurl) -## Policies supported by Microsoft Surface Hub +## Policies supported by Microsoft Surface Hub - [ApplicationDefaults/DefaultAssociationsConfiguration](#applicationdefaults-defaultassociationsconfiguration) -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) +- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing) +- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) - [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDeveloperTools](#browser-allowdevelopertools) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) +- [Browser/AllowCookies](#browser-allowcookies) +- [Browser/AllowDeveloperTools](#browser-allowdevelopertools) +- [Browser/AllowDoNotTrack](#browser-allowdonottrack) - [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) +- [Browser/AllowPopups](#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](#browser-allowsmartscreen) - [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit) - [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines) - [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages) -- [Browser/HomePages](#browser-homepages) +- [Browser/HomePages](#browser-homepages) - [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection) -- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride) -- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles) +- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride) +- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles) - [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine) -- [Camera/AllowCamera](#camera-allowcamera) -- [ConfigOperations/ADMXInstall](#configoperations-admxinstall) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [Camera/AllowCamera](#camera-allowcamera) +- [ConfigOperations/ADMXInstall](#None) +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) - [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices) -- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy) -- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites) -- [Defender/AllowArchiveScanning](#defender-allowarchivescanning) -- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring) -- [Defender/AllowCloudProtection](#defender-allowcloudprotection) -- [Defender/AllowEmailScanning](#defender-allowemailscanning) -- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives) -- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning) -- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem) -- [Defender/AllowIOAVProtection](#defender-allowioavprotection) -- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection) -- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring) -- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles) -- [Defender/AllowScriptScanning](#defender-allowscriptscanning) -- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess) -- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor) -- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware) -- [Defender/ExcludedExtensions](#defender-excludedextensions) -- [Defender/ExcludedPaths](#defender-excludedpaths) -- [Defender/ExcludedProcesses](#defender-excludedprocesses) -- [Defender/PUAProtection](#defender-puaprotection) -- [Defender/RealTimeScanDirection](#defender-realtimescandirection) -- [Defender/ScanParameter](#defender-scanparameter) -- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime) -- [Defender/ScheduleScanDay](#defender-schedulescanday) -- [Defender/ScheduleScanTime](#defender-schedulescantime) -- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval) -- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent) -- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth) -- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth) -- [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard) +- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy) +- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites) +- [Defender/AllowArchiveScanning](#defender-allowarchivescanning) +- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring) +- [Defender/AllowCloudProtection](#defender-allowcloudprotection) +- [Defender/AllowEmailScanning](#defender-allowemailscanning) +- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives) +- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning) +- [Defender/AllowIOAVProtection](#defender-allowioavprotection) +- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem) +- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection) +- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring) +- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles) +- [Defender/AllowScriptScanning](#defender-allowscriptscanning) +- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess) +- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor) +- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware) +- [Defender/ExcludedExtensions](#defender-excludedextensions) +- [Defender/ExcludedPaths](#defender-excludedpaths) +- [Defender/ExcludedProcesses](#defender-excludedprocesses) +- [Defender/PUAProtection](#defender-puaprotection) +- [Defender/RealTimeScanDirection](#defender-realtimescandirection) +- [Defender/ScanParameter](#defender-scanparameter) +- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime) +- [Defender/ScheduleScanDay](#defender-schedulescanday) +- [Defender/ScheduleScanTime](#defender-schedulescantime) +- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval) +- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent) +- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth) +- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders) +- [DeviceGuard/AllowKernelControlFlowGuard](#None) - [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) - [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) - [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) @@ -21725,40 +3322,41 @@ Footnote: - [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) - [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) - [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) -- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) -- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot) -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) -- [TextInput/AllowIMELogging](#textinput-allowimelogging) -- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess) -- [TextInput/AllowInputPanel](#textinput-allowinputpanel) -- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters) -- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters) -- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph) -- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary) -- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc) -- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis) -- [TimeLanguageSettings/Set24HourClock](#timelanguagesettings-set24hourclock) -- [TimeLanguageSettings/SetCountry](#timelanguagesettings-setcountry) -- [TimeLanguageSettings/SetLanguage](#timelanguagesettings-setlanguage) -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) +- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) +- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot) +- [System/AllowFontProviders](#system-allowfontproviders) +- [System/AllowLocation](#system-allowlocation) +- [System/AllowTelemetry](#system-allowtelemetry) +- [TextInput/AllowIMELogging](#textinput-allowimelogging) +- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess) +- [TextInput/AllowInputPanel](#textinput-allowinputpanel) +- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters) +- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters) +- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph) +- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary) +- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc) +- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis) +- [TimeLanguageSettings/Set24HourClock](#None) +- [TimeLanguageSettings/SetCountry](#None) +- [TimeLanguageSettings/SetLanguage](#None) +- [Update/AllowAutoUpdate](#update-allowautoupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) - [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule) - [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal) -- [Update/BranchReadinessLevel](#update-branchreadinesslevel) -- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays) +- [Update/BranchReadinessLevel](#update-branchreadinesslevel) +- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays) +- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays) - [Update/DetectionFrequency](#update-detectionfrequency) -- [Update/PauseFeatureUpdates](#update-pausefeatureupdates) -- [Update/PauseQualityUpdates](#update-pausequalityupdates) +- [Update/PauseFeatureUpdates](#update-pausefeatureupdates) +- [Update/PauseQualityUpdates](#update-pausequalityupdates) - [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning) - [Update/ScheduleRestartWarning](#update-schedulerestartwarning) - [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable) -- [Update/UpdateServiceUrl](#update-updateserviceurl) +- [Update/UpdateServiceUrl](#update-updateserviceurl) - [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate) +- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting) @@ -21778,6 +3376,7 @@ Footnote: - [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) - [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) - [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) +- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow) - [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) - [Security/RequireDeviceEncryption](#security-requiredeviceencryption) - [System/AllowStorageCard](#system-allowstoragecard) @@ -21786,6 +3385,7 @@ Footnote: - [Wifi/AllowWiFi](#wifi-allowwifi) + ## Examples Set the minimum password length to 4 characters. diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md new file mode 100644 index 0000000000..125546ca2b --- /dev/null +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -0,0 +1,145 @@ +--- +title: Policy CSP - AboveLock +description: Policy CSP - AboveLock +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - AboveLock + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## AboveLock policies + + +**AboveLock/AllowActionCenterNotifications** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +

Specifies whether to allow Action Center notifications above the device lock screen. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**AboveLock/AllowCortanaAboveLock** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**AboveLock/AllowToasts** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether to allow toast notifications above the device lock screen. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md new file mode 100644 index 0000000000..8e3cbf0a9f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -0,0 +1,186 @@ +--- +title: Policy CSP - Accounts +description: Policy CSP - Accounts +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Accounts + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Accounts policies + + +**Accounts/AllowAddingNonMicrosoftAccountsManually** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether user is allowed to add non-MSA email accounts. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + +> [!NOTE] +> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md). + + + + +**Accounts/AllowMicrosoftAccountConnection** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Accounts/AllowMicrosoftAccountSignInAssistant** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. + +

The following list shows the supported values: + +- 0 – Disabled. +- 1 (default) – Manual start. + + + + +**Accounts/DomainNamesForEmailSync** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies a list of the domains that are allowed to sync email on the device. + +

The data type is a string. + +

The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov". + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Accounts policies supported by Windows Holographic for Business + +- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection) + + diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md new file mode 100644 index 0000000000..e2cb16c774 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -0,0 +1,74 @@ +--- +title: Policy CSP - ActiveXControls +description: Policy CSP - ActiveXControls +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - ActiveXControls + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## ActiveXControls policies + + +**ActiveXControls/ApprovedInstallationSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL. + +If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. + +If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. + +Note: Wild card characters cannot be used when specifying the host URLs. + + + +ADMX Info: +- GP english name: *Approved Installation Sites for ActiveX Controls* +- GP name: *ApprovedActiveXInstallSites* +- GP ADMX file name: *ActiveXInstallService.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md new file mode 100644 index 0000000000..bf34e7343f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -0,0 +1,121 @@ +--- +title: Policy CSP - ApplicationDefaults +description: Policy CSP - ApplicationDefaults +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - ApplicationDefaults + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## ApplicationDefaults policies + + +**ApplicationDefaults/DefaultAssociationsConfiguration** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. + +

If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. + +

To create create the SyncML, follow these steps: +

    +
  1. Install a few apps and change your defaults.
    2. +
  2. From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"
    3. +
  3. Take the XML output and put it through your favorite base64 encoder app.
    4. +
  4. Paste the base64 encoded XML into the SyncML
    5. +
+ +

Here is an example output from the dism default association export command: + +``` syntax + + + + + + + +Here is the base64 encoded result: + +``` syntax +PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo= +``` + +

Here is the SyncMl example: + +``` syntax + + + + + 101 + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration + + PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo= + + + + + + +``` + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## ApplicationDefaults policies supported by Microsoft Surface Hub + +- [ApplicationDefaults/DefaultAssociationsConfiguration](#applicationdefaults-defaultassociationsconfiguration) + + diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md new file mode 100644 index 0000000000..805e786817 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -0,0 +1,489 @@ +--- +title: Policy CSP - ApplicationManagement +description: Policy CSP - ApplicationManagement +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - ApplicationManagement + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## ApplicationManagement policies + + +**ApplicationManagement/AllowAllTrustedApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether non Windows Store apps are allowed. + +

The following list shows the supported values: + +- 0 – Explicit deny. +- 1 – Explicit allow unlock. +- 65535 (default) – Not configured. + +

Most restricted value is 0. + + + + +**ApplicationManagement/AllowAppStoreAutoUpdate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether automatic update of apps from Windows Store are allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**ApplicationManagement/AllowDeveloperUnlock** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether developer unlock is allowed. + +

The following list shows the supported values: + +- 0 – Explicit deny. +- 1 – Explicit allow unlock. +- 65535 (default) – Not configured. + +

Most restricted value is 0. + + + + +**ApplicationManagement/AllowGameDVR** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + +

Specifies whether DVR and broadcasting is allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**ApplicationManagement/AllowSharedUserAppData** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether multiple users of the same app can share data. + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + +

Most restricted value is 0. + + + + +**ApplicationManagement/AllowStore** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +

Specifies whether app store is allowed at the device. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**ApplicationManagement/ApplicationRestrictions** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. + +  +

An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md). + +> [!NOTE] +> When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps. +> +> Here's additional guidance for the upgrade process: +> +> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents). +> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it. +> - In the SyncML, you must use lowercase product ID. +> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error. +> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents). + + +

An application that is running may not be immediately terminated. + +

Value type is chr. + +

Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies. + + + + +**ApplicationManagement/DisableStoreOriginatedApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck mark1check mark1cross markcross mark
+ + + +

Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded. + +

The following list shows the supported values: + +- 0 (default) – Enable launch of apps. +- 1 – Disable launch of apps. + + + + +**ApplicationManagement/RequirePrivateStoreOnly** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck markcheck markcheck markcheck mark
+ + + +

Allows disabling of the retail catalog and only enables the Private store. + +> [!IMPORTANT] +> This node must be accessed using the following paths: +> +> - **./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly** to set the policy. +> - **./User/Vendor/MSFT/Policy/Result/ApplicationManagement/RequirePrivateStoreOnly** to get the result. + + +

The following list shows the supported values: + +- 0 (default) – Allow both public and Private store. +- 1 – Only Private store is enabled. + +

This is a per user policy. + +

Most restricted value is 1. + + + + +**ApplicationManagement/RestrictAppDataToSystemVolume** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether application data is restricted to the system drive. + +

The following list shows the supported values: + +- 0 (default) – Not restricted. +- 1 – Restricted. + +

Most restricted value is 1. + + + + +**ApplicationManagement/RestrictAppToSystemVolume** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether the installation of applications is restricted to the system drive. + +

The following list shows the supported values: + +- 0 (default) – Not restricted. +- 1 – Restricted. + +

Most restricted value is 1. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## ApplicationManagement policies supported by Windows Holographic for Business + +- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) + + + +## ApplicationManagement policies supported by IoT Core + +- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) + + diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md new file mode 100644 index 0000000000..3aaaa8966e --- /dev/null +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -0,0 +1,1194 @@ +--- +title: Policy CSP - AppVirtualization +description: Policy CSP - AppVirtualization +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - AppVirtualization + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## AppVirtualization policies + + +**AppVirtualization/AllowAppVClient** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. + + + +ADMX Info: +- GP english name: *Enable App-V Client* +- GP name: *EnableAppV* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowDynamicVirtualization** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. + + + +ADMX Info: +- GP english name: *Enable Dynamic Virtualization* +- GP name: *Virtualization_JITVEnable* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowPackageCleanup** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. + + + +ADMX Info: +- GP english name: *Enable automatic cleanup of unused appv packages* +- GP name: *PackageManagement_AutoCleanupEnable* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowPackageScripts** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Enables scripts defined in the package manifest of configuration files that should run. + + + +ADMX Info: +- GP english name: *Enable Package Scripts* +- GP name: *Scripting_Enable_Package_Scripts* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowPublishingRefreshUX** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Enables a UX to display to the user when a publishing refresh is performed on the client. + + + +ADMX Info: +- GP english name: *Enable Publishing Refresh UX* +- GP name: *Enable_Publishing_Refresh_UX* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowReportingServer** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Reporting Server URL: Displays the URL of reporting server. + +Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM. + +Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load. + +Repeat reporting for every (days): The periodical interval in days for sending the reporting data. + +Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again. + +Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. + + + +ADMX Info: +- GP english name: *Reporting Server* +- GP name: *Reporting_Server_Policy* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowRoamingFileExclusions** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. + + + +ADMX Info: +- GP english name: *Roaming File Exclusions* +- GP name: *Integration_Roaming_File_Exclusions* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowRoamingRegistryExclusions** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. + + + +ADMX Info: +- GP english name: *Roaming Registry Exclusions* +- GP name: *Integration_Roaming_Registry_Exclusions* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowStreamingAutoload** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Specifies how new packages should be loaded automatically by App-V on a specific computer. + + + +ADMX Info: +- GP english name: *Specify what to load in background (aka AutoLoad)* +- GP name: *Steaming_Autoload* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/ClientCoexistenceAllowMigrationmode** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. + + + +ADMX Info: +- GP english name: *Enable Migration Mode* +- GP name: *Client_Coexistence_Enable_Migration_mode* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/IntegrationAllowRootGlobal** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. + + + +ADMX Info: +- GP english name: *Integration Root User* +- GP name: *Integration_Root_User* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/IntegrationAllowRootUser** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. + + + +ADMX Info: +- GP english name: *Integration Root Global* +- GP name: *Integration_Root_Global* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/PublishingAllowServer1** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Publishing Server Display Name: Displays the name of publishing server. + +Publishing Server URL: Displays the URL of publishing server. + +Global Publishing Refresh: Enables global publishing refresh (Boolean). + +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + +Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + +Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + +User Publishing Refresh: Enables user publishing refresh (Boolean). + +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + +User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + +User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + + +ADMX Info: +- GP english name: *Publishing Server 1 Settings* +- GP name: *Publishing_Server1_Policy* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/PublishingAllowServer2** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Publishing Server Display Name: Displays the name of publishing server. + +Publishing Server URL: Displays the URL of publishing server. + +Global Publishing Refresh: Enables global publishing refresh (Boolean). + +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + +Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + +Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + +User Publishing Refresh: Enables user publishing refresh (Boolean). + +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + +User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + +User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + + +ADMX Info: +- GP english name: *Publishing Server 2 Settings* +- GP name: *Publishing_Server2_Policy* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/PublishingAllowServer3** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Publishing Server Display Name: Displays the name of publishing server. + +Publishing Server URL: Displays the URL of publishing server. + +Global Publishing Refresh: Enables global publishing refresh (Boolean). + +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + +Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + +Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + +User Publishing Refresh: Enables user publishing refresh (Boolean). + +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + +User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + +User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + + +ADMX Info: +- GP english name: *Publishing Server 3 Settings* +- GP name: *Publishing_Server3_Policy* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/PublishingAllowServer4** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Publishing Server Display Name: Displays the name of publishing server. + +Publishing Server URL: Displays the URL of publishing server. + +Global Publishing Refresh: Enables global publishing refresh (Boolean). + +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + +Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + +Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + +User Publishing Refresh: Enables user publishing refresh (Boolean). + +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + +User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + +User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + + +ADMX Info: +- GP english name: *Publishing Server 4 Settings* +- GP name: *Publishing_Server4_Policy* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/PublishingAllowServer5** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Publishing Server Display Name: Displays the name of publishing server. + +Publishing Server URL: Displays the URL of publishing server. + +Global Publishing Refresh: Enables global publishing refresh (Boolean). + +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + +Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + +Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + +User Publishing Refresh: Enables user publishing refresh (Boolean). + +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + +User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + +User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + + +ADMX Info: +- GP english name: *Publishing Server 5 Settings* +- GP name: *Publishing_Server5_Policy* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Specifies the path to a valid certificate in the certificate store. + + + +ADMX Info: +- GP english name: *Certificate Filter For Client SSL* +- GP name: *Streaming_Certificate_Filter_For_Client_SSL* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowHighCostLaunch** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). + + + +ADMX Info: +- GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection* +- GP name: *Streaming_Allow_High_Cost_Launch* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowLocationProvider** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. + + + +ADMX Info: +- GP english name: *Location Provider* +- GP name: *Streaming_Location_Provider* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowPackageInstallationRoot** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Specifies directory where all new applications and updates will be installed. + + + +ADMX Info: +- GP english name: *Package Installation Root* +- GP name: *Streaming_Package_Installation_Root* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowPackageSourceRoot** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Overrides source location for downloading package content. + + + +ADMX Info: +- GP english name: *Package Source Root* +- GP name: *Streaming_Package_Source_Root* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowReestablishmentInterval** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Specifies the number of seconds between attempts to reestablish a dropped session. + + + +ADMX Info: +- GP english name: *Reestablishment Interval* +- GP name: *Streaming_Reestablishment_Interval* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowReestablishmentRetries** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Specifies the number of times to retry a dropped session. + + + +ADMX Info: +- GP english name: *Reestablishment Retries* +- GP name: *Streaming_Reestablishment_Retries* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingSharedContentStoreMode** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Specifies that streamed package contents will be not be saved to the local hard disk. + + + +ADMX Info: +- GP english name: *Shared Content Store (SCS) mode* +- GP name: *Streaming_Shared_Content_Store_Mode* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingSupportBranchCache** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache + + + +ADMX Info: +- GP english name: *Enable Support for BranchCache* +- GP name: *Streaming_Support_Branch_Cache* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingVerifyCertificateRevocationList** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Verifies Server certificate revocation status before streaming using HTTPS. + + + +ADMX Info: +- GP english name: *Verify certificate revocation list* +- GP name: *Streaming_Verify_Certificate_Revocation_List* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/VirtualComponentsAllowList** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components. + + + +ADMX Info: +- GP english name: *Virtual Component Process Allow List* +- GP name: *Virtualization_JITVAllowList* +- GP ADMX file name: *appv.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md new file mode 100644 index 0000000000..16d1409a9a --- /dev/null +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -0,0 +1,162 @@ +--- +title: Policy CSP - AttachmentManager +description: Policy CSP - AttachmentManager +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - AttachmentManager + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## AttachmentManager policies + + +**AttachmentManager/DoNotPreserveZoneInformation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments. + +If you enable this policy setting, Windows does not mark file attachments with their zone information. + +If you disable this policy setting, Windows marks file attachments with their zone information. + +If you do not configure this policy setting, Windows marks file attachments with their zone information. + + + +ADMX Info: +- GP english name: *Do not preserve zone information in file attachments* +- GP name: *AM_MarkZoneOnSavedAtttachments* +- GP ADMX file name: *AttachmentManager.admx* + + + + +**AttachmentManager/HideZoneInfoMechanism** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening. + +If you enable this policy setting, Windows hides the check box and Unblock button. + +If you disable this policy setting, Windows shows the check box and Unblock button. + +If you do not configure this policy setting, Windows hides the check box and Unblock button. + + + +ADMX Info: +- GP english name: *Hide mechanisms to remove zone information* +- GP name: *AM_RemoveZoneInfo* +- GP ADMX file name: *AttachmentManager.admx* + + + + +**AttachmentManager/NotifyAntivirusPrograms** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. + +If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened. + +If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. + +If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. + + + +ADMX Info: +- GP english name: *Notify antivirus programs when opening attachments* +- GP name: *AM_CallIOfficeAntiVirus* +- GP ADMX file name: *AttachmentManager.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md new file mode 100644 index 0000000000..a3abf1e90d --- /dev/null +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -0,0 +1,165 @@ +--- +title: Policy CSP - Authentication +description: Policy CSP - Authentication +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Authentication + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Authentication policies + + +**Authentication/AllowEAPCertSSO** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources. + +> [!IMPORTANT] +> This node must be accessed using the following paths: +> +> - **./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO** to set the policy. +> - **./User/Vendor/MSFT/Policy/Result/Authentication/AllowEAPCertSSO** to get the result. + + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Authentication/AllowFastReconnect** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allows EAP Fast Reconnect from being attempted for EAP Method TLS. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Authentication/AllowSecondaryAuthenticationDevice** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 – Allowed. + +

The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD). + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Authentication policies supported by Windows Holographic for Business + +- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) + + + +## Authentication policies supported by IoT Core + +- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) + + diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md new file mode 100644 index 0000000000..94426589fc --- /dev/null +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -0,0 +1,175 @@ +--- +title: Policy CSP - Autoplay +description: Policy CSP - Autoplay +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Autoplay + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Autoplay policies + + +**Autoplay/DisallowAutoplayForNonVolumeDevices** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting disallows AutoPlay for MTP devices like cameras or phones. + +If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. + +If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. + + + +ADMX Info: +- GP english name: *Disallow Autoplay for non-volume devices* +- GP name: *NoAutoplayfornonVolume* +- GP ADMX file name: *AutoPlay.admx* + + + + +**Autoplay/SetDefaultAutoRunBehavior** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting sets the default behavior for Autorun commands. + +Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. + +Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. + +This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. + +If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to: + +a) Completely disable autorun commands, or +b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command. + +If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. + + + +ADMX Info: +- GP english name: *Set the default behavior for AutoRun* +- GP name: *NoAutorun* +- GP ADMX file name: *AutoPlay.admx* + + + + +**Autoplay/TurnOffAutoPlay** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to turn off the Autoplay feature. + +Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately. + +Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives. + +Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices. + +If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives. + +This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default. + +If you disable or do not configure this policy setting, AutoPlay is enabled. + +Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + + + +ADMX Info: +- GP english name: *Turn off Autoplay* +- GP name: *Autorun* +- GP ADMX file name: *AutoPlay.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md new file mode 100644 index 0000000000..c4a361dbf8 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -0,0 +1,71 @@ +--- +title: Policy CSP - Bitlocker +description: Policy CSP - Bitlocker +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Bitlocker + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Bitlocker policies + + +**Bitlocker/EncryptionMethod** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies the BitLocker Drive Encryption method and cipher strength. + +> [!NOTE] +> XTS-AES 128-bit and XTS-AES 256-bit values are only supported on Windows 10 for desktop. + +

The following list shows the supported values: + +- 3 - AES-CBC 128-bit +- 4 - AES-CBC 256-bit +- 6 - XTS-AES 128-bit (Desktop only) +- 7 - XTS-AES 256-bit (Desktop only) + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md new file mode 100644 index 0000000000..c4f2efa69b --- /dev/null +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -0,0 +1,241 @@ +--- +title: Policy CSP - Bluetooth +description: Policy CSP - Bluetooth +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Bluetooth + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Bluetooth policies + + +**Bluetooth/AllowAdvertising** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether the device can send out Bluetooth advertisements. + +

The following list shows the supported values: + +- 0 – Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral. +- 1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral. + +

If this is not set or it is deleted, the default value of 1 (Allow) is used. + +

Most restricted value is 0. + + + + +**Bluetooth/AllowDiscoverableMode** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether other Bluetooth-enabled devices can discover the device. + +

The following list shows the supported values: + +- 0 – Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device. +- 1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it. + +

If this is not set or it is deleted, the default value of 1 (Allow) is used. + +

Most restricted value is 0. + + + + +**Bluetooth/AllowPrepairing** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +

Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default)– Allowed. + + + + +**Bluetooth/LocalDeviceName** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Sets the local Bluetooth device name. + +

If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified. + +

If this policy is not set or it is deleted, the default local radio name is used. + + + + +**Bluetooth/ServicesAllowedList** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. + +

The default value is an empty string. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Bluetooth policies supported by Windows Holographic for Business + +- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) + + + +## Bluetooth policies supported by IoT Core + +- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) + + + +## Bluetooth policies supported by Microsoft Surface Hub + +- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing) +- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) + + diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md new file mode 100644 index 0000000000..ac21e5988b --- /dev/null +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -0,0 +1,1436 @@ +--- +title: Policy CSP - Browser +description: Policy CSP - Browser +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Browser + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Browser policies + + +**Browser/AllowAddressBarDropdown** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.  + +> [!NOTE] +> Disabling this setting turns off the address bar drop-down functionality. Because search suggestions are shown in the drop-down list, this setting takes precedence over the Browser/AllowSearchSuggestionsinAddressBar setting. + +

The following list shows the supported values: + +- 0 – Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."  +- 1 (default) – Allowed. Address bar drop-down is enabled. + +

Most restricted value is 0. + + + + +**Browser/AllowAutofill** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +

Specifies whether autofill on websites is allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + +

To verify AllowAutofill is set to 0 (not allowed): + +1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Save form entries** is greyed out. + + + + +**Browser/AllowBrowser** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. + + +

Specifies whether the browser is allowed on the device. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + +

When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator. + + + + +**Browser/AllowCookies** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether cookies are allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + +

To verify AllowCookies is set to 0 (not allowed): + +1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Cookies** is greyed out. + + + + +**Browser/AllowDeveloperTools** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Browser/AllowDoNotTrack** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether Do Not Track headers are allowed. + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + +

Most restricted value is 1. + +

To verify AllowDoNotTrack is set to 0 (not allowed): + +1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Send Do Not Track requests** is greyed out. + + + + +**Browser/AllowExtensions** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +

Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Browser/AllowFlash** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +

Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Browser/AllowFlashClickToRun** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. + +

The following list shows the supported values: + +- 0 – Adobe Flash content is automatically loaded and run by Microsoft Edge. +- 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. + + + + +**Browser/AllowInPrivate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether InPrivate browsing is allowed on corporate networks. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Browser/AllowMicrosoftCompatibilityList** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly. +By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat". + +

If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation. + +

The following list shows the supported values: + +- 0 – Not enabled. +- 1 (default) – Enabled. + +

Most restricted value is 0. + + + + +**Browser/AllowPasswordManager** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether saving and managing passwords locally on the device is allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + +

To verify AllowPasswordManager is set to 0 (not allowed): + +1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out. + + + + +**Browser/AllowPopups** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +

Specifies whether pop-up blocker is allowed or enabled. + +

The following list shows the supported values: + +- 0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed. +- 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked. + +

Most restricted value is 1. + +

To verify AllowPopups is set to 0 (not allowed): + +1. Open Microsoft Edge. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Block pop-ups** is greyed out. + + + + +**Browser/AllowSearchEngineCustomization** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.  +   +

If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).  + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Browser/AllowSearchSuggestionsinAddressBar** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether search suggestions are allowed in the address bar. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Browser/AllowSmartScreen** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether Windows Defender SmartScreen is allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 1. + +

To verify AllowSmartScreen is set to 0 (not allowed): + +1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out. + + + + +**Browser/ClearBrowsingDataOnExit** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge. + +

The following list shows the supported values: + +- 0 – (default) Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings. +- 1 – Browsing data is cleared on exit. + +

Most restricted value is 1. + +

To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): + +1. Open Microsoft Edge and browse to websites. +2. Close the Microsoft Edge window. +3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history. + + + + +**Browser/ConfigureAdditionalSearchEngines** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.  +  +

If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). +Employees cannot remove these search engines, but they can set any one as the default. This setting does not affect the default search engine.  + +

If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine. +  +> [!IMPORTANT] +> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled.  + +

The following list shows the supported values: + +- 0 (default) – Additional search engines are not allowed. +- 1 – Additional search engines are allowed. + +

Most restricted value is 0. + + + + +**Browser/DisableLockdownOfStartPages** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.  +   +> [!NOTE] +> This policy has no effect when the Browser/HomePages policy is not configured.  +  +> [!IMPORTANT] +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy). + +

The following list shows the supported values: + +- 0 (default) – Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.  +- 1 – Disable lockdown of the Start pages and allow users to modify them.   + +

Most restricted value is 0. + + + + +**Browser/EnterpriseModeSiteList** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + +  +

Allows the user to specify an URL of an enterprise site list. + +

The following list shows the supported values: + +- Not configured. The device checks for updates from Microsoft Update. +- Set to a URL location of the enterprise site list. + + + + +**Browser/EnterpriseSiteListServiceUrl** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +> [!IMPORTANT] +> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist). + + + + +**Browser/FirstRunURL** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time. + +

The data type is a string. + +

The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”. + + + + +**Browser/HomePages** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile. + +

Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **<** and **>**. For example, "<support.contoso.com><support.microsoft.com>" + +

Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users. + +

Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "<about:blank>" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL.  + +> [!NOTE] +> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings. + + + + +**Browser/PreventAccessToAboutFlagsInMicrosoftEdge** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +

Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features. + +

The following list shows the supported values: + +- 0 (default) – Users can access the about:flags page in Microsoft Edge. +- 1 – Users can't access the about:flags page in Microsoft Edge. + + + + +**Browser/PreventFirstRunPage** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening. + +

The following list shows the supported values: + +- 0 (default) – Employees see the First Run webpage. +- 1 – Employees don't see the First Run webpage. + +

Most restricted value is 1. + + + + +**Browser/PreventLiveTileDataCollection** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. + +

The following list shows the supported values: + +- 0 (default) – Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge. +- 1 – Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge. + +

Most restricted value is 1. + + + + +**Browser/PreventSmartScreenPromptOverride** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. + +

The following list shows the supported values: + +- 0 (default) – Off. +- 1 – On. + +

Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site. + + + + +**Browser/PreventSmartScreenPromptOverrideForFiles** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process. + +

The following list shows the supported values: + +- 0 (default) – Off. +- 1 – On. + + + + +**Browser/PreventUsingLocalHostIPAddressForWebRTC** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an

user’s localhost IP address while making phone calls using WebRTC. + +

The following list shows the supported values: + +- 0 (default) – The localhost IP address is shown. +- 1 – The localhost IP address is hidden. + + + + +**Browser/SendIntranetTraffictoInternetExplorer** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Specifies whether to send intranet traffic over to Internet Explorer. + +

The following list shows the supported values: + +- 0 (default) – Intranet traffic is sent to Internet Explorer. +- 1 – Intranet traffic is sent to Microsoft Edge. + +

Most restricted value is 0. + + + + +**Browser/SetDefaultSearchEngine** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy. + +

You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING.  +  +

If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.    +  +> [!IMPORTANT] +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy). + +

The following list shows the supported values: + +- 0 (default) - The default search engine is set to the one specified in App settings. +- 1 - Allows you to configure the default search engine for your employees. + +

Most restricted value is 0. + + + + +**Browser/ShowMessageWhenOpeningSitesInInternetExplorer** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List. + +

The following list shows the supported values: + +- 0 (default) – Interstitial pages are not shown. +- 1 – Interstitial pages are shown. + +

Most restricted value is 0. + + + + +**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> +> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices. + +

The following list shows the supported values: + +- 0 (default) – Synchronization is off. +- 1 – Synchronization is on. + +

To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge: + +

    +
  1. Open Internet Explorer and add some favorites. +
  2. Open Microsoft Edge, then select Hub > Favorites. +
  3. Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge. +
+ + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Browser policies that can be set using Exchange Active Sync (EAS) + +- [Browser/AllowBrowser](#browser-allowbrowser) + + + +## Browser policies supported by Windows Holographic for Business + +- [Browser/AllowCookies](#browser-allowcookies) +- [Browser/AllowDoNotTrack](#browser-allowdonottrack) +- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) +- [Browser/AllowPopups](#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](#browser-allowsmartscreen) + + + +## Browser policies supported by IoT Core + +- [Browser/AllowAutofill](#browser-allowautofill) +- [Browser/AllowBrowser](#browser-allowbrowser) +- [Browser/AllowCookies](#browser-allowcookies) +- [Browser/AllowDoNotTrack](#browser-allowdonottrack) +- [Browser/AllowInPrivate](#browser-allowinprivate) +- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) +- [Browser/AllowPopups](#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) +- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) +- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) + + + +## Browser policies supported by Microsoft Surface Hub + +- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown) +- [Browser/AllowCookies](#browser-allowcookies) +- [Browser/AllowDeveloperTools](#browser-allowdevelopertools) +- [Browser/AllowDoNotTrack](#browser-allowdonottrack) +- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist) +- [Browser/AllowPopups](#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](#browser-allowsmartscreen) +- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit) +- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines) +- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages) +- [Browser/HomePages](#browser-homepages) +- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection) +- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride) +- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles) +- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine) + + diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md new file mode 100644 index 0000000000..052c9a0190 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -0,0 +1,86 @@ +--- +title: Policy CSP - Camera +description: Policy CSP - Camera +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Camera + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Camera policies + + +**Camera/AllowCamera** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Disables or enables the camera. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Camera policies that can be set using Exchange Active Sync (EAS) + +- [Camera/AllowCamera](#camera-allowcamera) + + + +## Camera policies supported by IoT Core + +- [Camera/AllowCamera](#camera-allowcamera) + + + +## Camera policies supported by Microsoft Surface Hub + +- [Camera/AllowCamera](#camera-allowcamera) + + diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md new file mode 100644 index 0000000000..2eacb78000 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -0,0 +1,43 @@ +--- +title: Policy CSP - Cellular +description: Policy CSP - Cellular +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Cellular + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Cellular policies + + +**Cellular/ShowAppCellularAccessUI** + + + + +ADMX Info: +- GP english name: *Set Per-App Cellular Access UI Visibility* +- GP name: *ShowAppCellularAccessUI* +- GP ADMX file name: *wwansvc.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md new file mode 100644 index 0000000000..76654d609a --- /dev/null +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -0,0 +1,485 @@ +--- +title: Policy CSP - Connectivity +description: Policy CSP - Connectivity +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Connectivity + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Connectivity policies + + +**Connectivity/AllowBluetooth** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allows the user to enable Bluetooth or restrict access. + +

The following list shows the supported values: + +- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on. +- 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. + +> [!NOTE] +>  This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. + +- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. + +

If this is not set or it is deleted, the default value of 2 (Allow) is used. + +

Most restricted value is 0. + + + + +**Connectivity/AllowCellularData** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +

Allows the cellular data channel on the device. Device reboot is not required to enforce the policy. + +

The following list shows the supported values: + +- 0 – Do not allow the cellular data channel. The user can turn it on. This value is not supported in Windows 10, version 1511. +- 1 (default) – Allow the cellular data channel. The user can turn it off. +- 2 - Allow the cellular data channel. The user cannot turn it off. + + + + +**Connectivity/AllowCellularDataRoaming** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy. + +

The following list shows the supported values: + +- 0 – Do not allow cellular data roaming. The user can turn it on. This value is not supported in Windows 10, version 1511. +- 1 (default) – Allow cellular data roaming. +- 2 - Allow cellular data roaming on. The user cannot turn it off. + +

Most restricted value is 0. + +

To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. + +

To validate on mobile devices, do the following: + +1. Go to Cellular & SIM. +2. Click on the SIM (next to the signal strength icon) and select **Properties**. +3. On the Properties page, select **Data roaming options**. + + + + +**Connectivity/AllowConnectedDevices** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check mark2check mark2check mark2
+ + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. + +

The following list shows the supported values: + +- 1 (default) - Allow (CDP service available). +- 0 - Disable (CDP service not available). + + + + +**Connectivity/AllowNFC** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Allows or disallows near field communication (NFC) on the device. + +

The following list shows the supported values: + +- 0 – Do not allow NFC capabilities. +- 1 (default) – Allow NFC capabilities. + +

Most restricted value is 0. + + + + +**Connectivity/AllowUSBConnection** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. + +

Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Connectivity/AllowVPNOverCellular** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies what type of underlying connections VPN is allowed to use. + +

The following list shows the supported values: + +- 0 – VPN is not allowed over cellular. +- 1 (default) – VPN can use any connection, including cellular. + +

Most restricted value is 0. + + + + +**Connectivity/AllowVPNRoamingOverCellular** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Prevents the device from connecting to VPN when the device roams over cellular networks. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Connectivity/DiablePrintingOverHTTP** + + + + +ADMX Info: +- GP english name: *Turn off printing over HTTP* +- GP name: *DisableHTTPPrinting_2* +- GP ADMX file name: *ICM.admx* + + + + +**Connectivity/DisableDownloadingOfPrintDriversOverHTTP** + + + + +ADMX Info: +- GP english name: *Turn off downloading of print drivers over HTTP* +- GP name: *DisableWebPnPDownload_2* +- GP ADMX file name: *ICM.admx* + + + + +**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards** + + + + +ADMX Info: +- GP english name: *Turn off Internet download for Web publishing and online ordering wizards* +- GP name: *ShellPreventWPWDownload_2* +- GP ADMX file name: *ICM.admx* + + + + +**Connectivity/HardenedUNCPaths** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +This policy setting configures secure access to UNC paths. + +If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. + + + +ADMX Info: +- GP english name: *Hardened UNC Paths* +- GP name: *Pol_HardenedPaths* +- GP ADMX file name: *networkprovider.admx* + + + + +**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge** + + + + +ADMX Info: +- GP english name: *Prohibit installation and configuration of Network Bridge on your DNS domain network* +- GP name: *NC_AllowNetBridge_NLA* +- GP ADMX file name: *NetworkConnections.admx* + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Connectivity policies that can be set using Exchange Active Sync (EAS) + +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) + + + +## Connectivity policies supported by Windows Holographic for Business + +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) + + + +## Connectivity policies supported by IoT Core + +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +- [Connectivity/AllowNFC](#connectivity-allownfc) +- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) +- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) +- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths) + + + +## Connectivity policies supported by Microsoft Surface Hub + +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices) + + diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md new file mode 100644 index 0000000000..cc99642fbc --- /dev/null +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -0,0 +1,162 @@ +--- +title: Policy CSP - CredentialProviders +description: Policy CSP - CredentialProviders +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - CredentialProviders + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## CredentialProviders policies + + +**CredentialProviders/AllowPINLogon** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +This policy setting allows you to control whether a domain user can sign in using a convenience PIN. + +If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. + +If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN. + +Note: The user's domain password will be cached in the system vault when using this feature. + +To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. + + + +ADMX Info: +- GP english name: *Turn on convenience PIN sign-in* +- GP name: *AllowDomainPINLogon* +- GP ADMX file name: *credentialproviders.admx* + + + + +**CredentialProviders/BlockPicturePassword** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +This policy setting allows you to control whether a domain user can sign in using a picture password. + +If you enable this policy setting, a domain user can't set up or sign in with a picture password. + +If you disable or don't configure this policy setting, a domain user can set up and use a picture password. + +Note that the user's domain password will be cached in the system vault when using this feature. + + + +ADMX Info: +- GP english name: *Turn off picture password sign-in* +- GP name: *BlockDomainPicturePassword* +- GP ADMX file name: *credentialproviders.admx* + + + + +**CredentialProviders/EnableWindowsAutoPilotResetCredentials** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device. + +The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students. + +Default value is 0. + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## CredentialProviders policies supported by IoT Core + +- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon) +- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword) + + diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md new file mode 100644 index 0000000000..e51c7be1c8 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -0,0 +1,118 @@ +--- +title: Policy CSP - CredentialsUI +description: Policy CSP - CredentialsUI +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - CredentialsUI + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## CredentialsUI policies + + +**CredentialsUI/DisablePasswordReveal** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +This policy setting allows you to configure the display of the password reveal button in password entry user experiences. + +If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. + +If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. + +By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button. + +The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. + + + +ADMX Info: +- GP english name: *Do not display the password reveal button* +- GP name: *DisablePasswordReveal* +- GP ADMX file name: *credui.admx* + + + + +**CredentialsUI/EnumerateAdministrators** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. + +If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. + +If you disable this policy setting, users will always be required to type a user name and password to elevate. + + + +ADMX Info: +- GP english name: *Enumerate administrator accounts on elevation* +- GP name: *EnumerateAdministrators* +- GP ADMX file name: *credui.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md new file mode 100644 index 0000000000..b010cfdbb9 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -0,0 +1,104 @@ +--- +title: Policy CSP - Cryptography +description: Policy CSP - Cryptography +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Cryptography + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Cryptography policies + + +**Cryptography/AllowFipsAlgorithmPolicy** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allows or disallows the Federal Information Processing Standard (FIPS) policy. + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1– Allowed. + + + + +**Cryptography/TLSCipherSuites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Cryptography policies supported by Microsoft Surface Hub + +- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy) +- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites) + + diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md new file mode 100644 index 0000000000..418361ef03 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -0,0 +1,112 @@ +--- +title: Policy CSP - DataProtection +description: Policy CSP - DataProtection +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - DataProtection + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## DataProtection policies + + +**DataProtection/AllowDirectMemoryAccess** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**DataProtection/LegacySelectiveWipeID** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!IMPORTANT] +> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. + +  +

Setting used by Windows 8.1 Selective Wipe. + +> [!NOTE] +> This policy is not recommended for use in Windows 10. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## DataProtection policies supported by IoT Core + +- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) + + diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md new file mode 100644 index 0000000000..54687bcb5c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -0,0 +1,126 @@ +--- +title: Policy CSP - DataUsage +description: Policy CSP - DataUsage +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - DataUsage + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## DataUsage policies + + +**DataUsage/SetCost3G** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +This policy setting configures the cost of 3G connections on the local machine. + +If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine: + +- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. + +- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. + +- Variable: This connection is costed on a per byte basis. + +If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. + + + +ADMX Info: +- GP english name: *Set 3G Cost* +- GP name: *SetCost3G* +- GP ADMX file name: *wwansvc.admx* + + + + +**DataUsage/SetCost4G** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +This policy setting configures the cost of 4G connections on the local machine. + +If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine: + +- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. + +- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. + +- Variable: This connection is costed on a per byte basis. + +If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. + + + +ADMX Info: +- GP english name: *Set 4G Cost* +- GP name: *SetCost4G* +- GP ADMX file name: *wwansvc.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md new file mode 100644 index 0000000000..9fdbbe8095 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -0,0 +1,1490 @@ +--- +title: Policy CSP - Defender +description: Policy CSP - Defender +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Defender + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Defender policies + + +**Defender/AllowArchiveScanning** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows scanning of archives. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Defender/AllowBehaviorMonitoring** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Allows or disallows Windows Defender Behavior Monitoring functionality. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Defender/AllowCloudProtection** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Defender/AllowEmailScanning** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows scanning of email. + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + + + + +**Defender/AllowFullScanOnMappedNetworkDrives** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows a full scan of mapped network drives. + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + + + + +**Defender/AllowFullScanRemovableDriveScanning** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows a full scan of removable drives. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Defender/AllowIOAVProtection** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Allows or disallows Windows Defender IOAVP Protection functionality. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Defender/AllowIntrusionPreventionSystem** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows Windows Defender Intrusion Prevention functionality. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Defender/AllowOnAccessProtection** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows Windows Defender On Access Protection functionality. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Defender/AllowRealtimeMonitoring** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows Windows Defender Realtime Monitoring functionality. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Defender/AllowScanningNetworkFiles** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Allows or disallows a scanning of network files. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Defender/AllowScriptScanning** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows Windows Defender Script Scanning functionality. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Defender/AllowUserUIAccess** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Defender/AttackSurfaceReductionOnlyExclusions** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe".. + +Value type is string. + + + + +**Defender/AttackSurfaceReductionRules** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. + +Value type is string. + + + + +**Defender/AvgCPULoadFactor** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Represents the average CPU load factor for the Windows Defender scan (in percent). + +

Valid values: 0–100 + +

The default value is 50. + + + + +**Defender/CloudBlockLevel** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Added in Windows 10, version 1709. This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. + +

If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. + +p

For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. +      +> [!Note] +> This feature requires the "Join Microsoft MAPS" setting enabled in order to function. + +

Possible options are: + +- (0x0) Default windows defender blocking level +- (0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)       +- (0x4) High+ blocking level – aggressively block unknowns and apply additional protection measures (may impact  client performance) +- (0x6) Zero tolerance blocking level – block all unknown executables + + + + +**Defender/CloudExtendedTimeout** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +

Added in Windows 10, version 1709. This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. + +

The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. + +

For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. + +> [!Note] +> This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required". + + + + +**Defender/DaysToRetainCleanedMalware** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Time period (in days) that quarantine items will be stored on the system. + +

Valid values: 0–90 + +

The default value is 0, which keeps items in quarantine, and does not automatically remove them. + + + + +**Defender/EnableGuardMyFolders** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +

Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. + +- 0 (default) - Off +- 1 - Audit mode +- 2 - Enforcement mode + + + + +**Defender/EnableNetworkProtection** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +

Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. + +

If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit. +

If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center. +

If you enable this policy with the ""Audit"" option, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center. +

If you disable this policy, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Windows Defender Security Center. +

If you do not configure this policy, network blocking will be disabled by default. + +

Valid values: + +- 0 (default) - Disabled +- 1 - Enabled (block mode) +- 2 - Enabled (audit mode) + + + + +**Defender/ExcludedExtensions** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj". + + + + +**Defender/ExcludedPaths** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1". + + + + +**Defender/ExcludedProcesses** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows an administrator to specify a list of files opened by processes to ignore during a scan. + +> [!IMPORTANT] +> The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path. + +  +

Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe". + + + + +**Defender/GuardedFoldersAllowedApplications** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +

Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode  as the substring separator. + + + + +**Defender/GuardedFoldersList** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +

Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the Unicode  as the substring separator. + + + + +**Defender/PUAProtection** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. + +

The following list shows the supported values: + +- 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications. +- 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats. +- 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. + + + + +**Defender/RealTimeScanDirection** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Controls which sets of files should be monitored. + +> [!NOTE] +> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files. + + +

The following list shows the supported values: + +- 0 (default) – Monitor all files (bi-directional). +- 1 – Monitor incoming files. +- 2 – Monitor outgoing files. + + + + +**Defender/ScanParameter** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Selects whether to perform a quick scan or full scan. + +

The following list shows the supported values: + +- 1 (default) – Quick scan +- 2 – Full scan + + + + +**Defender/ScheduleQuickScanTime** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Selects the time of day that the Windows Defender quick scan should run. + +> [!NOTE] +> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. + +  +

Valid values: 0–1380 + +

For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. + +

The default value is 120 + + + + +**Defender/ScheduleScanDay** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Selects the day that the Windows Defender scan should run. + +> [!NOTE] +> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. + + +

The following list shows the supported values: + +- 0 (default) – Every day +- 1 – Monday +- 2 – Tuesday +- 3 – Wednesday +- 4 – Thursday +- 5 – Friday +- 6 – Saturday +- 7 – Sunday +- 8 – No scheduled scan + + + + +**Defender/ScheduleScanTime** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Selects the time of day that the Windows Defender scan should run. + +> [!NOTE] +> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. + + +

Valid values: 0–1380. + +

For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. + +

The default value is 120. + + + + +**Defender/SignatureUpdateInterval** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. + +

Valid values: 0–24. + +

A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day. + +

The default value is 8. + + + + +**Defender/SubmitSamplesConsent** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data. + +

The following list shows the supported values: + +- 0 – Always prompt. +- 1 (default) – Send safe samples automatically. +- 2 – Never send. +- 3 – Send all samples automatically. + + + + +**Defender/ThreatSeverityDefaultAction** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. +  + +

Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. + +

This value is a list of threat severity level IDs and corresponding actions, separated by a**|** using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3 + +

The following list shows the supported values for threat severity levels: + +- 1 – Low severity threats +- 2 – Moderate severity threats +- 4 – High severity threats +- 5 – Severe threats + +

The following list shows the supported values for possible actions: + +- 1 – Clean +- 2 – Quarantine +- 3 – Remove +- 6 – Allow +- 8 – User defined +- 10 – Block + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Defender policies supported by Microsoft Surface Hub + +- [Defender/AllowArchiveScanning](#defender-allowarchivescanning) +- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring) +- [Defender/AllowCloudProtection](#defender-allowcloudprotection) +- [Defender/AllowEmailScanning](#defender-allowemailscanning) +- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives) +- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning) +- [Defender/AllowIOAVProtection](#defender-allowioavprotection) +- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem) +- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection) +- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring) +- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles) +- [Defender/AllowScriptScanning](#defender-allowscriptscanning) +- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess) +- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor) +- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware) +- [Defender/ExcludedExtensions](#defender-excludedextensions) +- [Defender/ExcludedPaths](#defender-excludedpaths) +- [Defender/ExcludedProcesses](#defender-excludedprocesses) +- [Defender/PUAProtection](#defender-puaprotection) +- [Defender/RealTimeScanDirection](#defender-realtimescandirection) +- [Defender/ScanParameter](#defender-scanparameter) +- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime) +- [Defender/ScheduleScanDay](#defender-schedulescanday) +- [Defender/ScheduleScanTime](#defender-schedulescantime) +- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval) +- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent) +- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction) + + diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md new file mode 100644 index 0000000000..bcd687b62f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -0,0 +1,654 @@ +--- +title: Policy CSP - DeliveryOptimization +description: Policy CSP - DeliveryOptimization +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - DeliveryOptimization + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## DeliveryOptimization policies + + +**DeliveryOptimization/DOAbsoluteMaxCacheSize** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space. + +

The default value is 10. + + + + +**DeliveryOptimization/DOAllowVPNPeerCaching** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. + +

The default value is 0 (FALSE). + + + + +**DeliveryOptimization/DODownloadMode** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. + +

The following list shows the supported values: + +- 0 –HTTP only, no peering. +- 1 (default) – HTTP blended with peering behind the same NAT. +- 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. +- 3 – HTTP blended with Internet peering. +- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. +- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. + + + + +**DeliveryOptimization/DOGroupId** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity. + +> [!NOTE] +> You must use a GUID as the group ID. + + + + +**DeliveryOptimization/DOMaxCacheAge** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607. + +

The default value is 259200 seconds (3 days). + + + + +**DeliveryOptimization/DOMaxCacheSize** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + +  +

Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). + +

The default value is 20. + + + + +**DeliveryOptimization/DOMaxDownloadBandwidth** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. +  + +

Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. + +

The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. + + + + +**DeliveryOptimization/DOMaxUploadBandwidth** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + +  +

Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization. + +

The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth). + + + + +**DeliveryOptimization/DOMinBackgroundQos** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. + +

The default value is 500. + + + + +**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. + +

Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery. + +

The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used. + + + + +**DeliveryOptimization/DOMinDiskSizeAllowedToPeer** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB. + +> [!NOTE] +> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. + +

The default value is 32 GB. + + + + +**DeliveryOptimization/DOMinFileSizeToCache** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB. + +

The default value is 100 MB. + + + + +**DeliveryOptimization/DOMinRAMAllowedToPeer** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. + +

The default value is 4 GB. + + + + +**DeliveryOptimization/DOModifyCacheDrive** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. + +

By default, %SystemDrive% is used to store the cache. + + + + +**DeliveryOptimization/DOMonthlyUploadDataCap** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. + +

The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set. + +

The default value is 20. + + + + +**DeliveryOptimization/DOPercentageMaxDownloadBandwidth** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + +  +

Added in Windows 10, version 1607. Specifies the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. + +

The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## DeliveryOptimization policies supported by Microsoft Surface Hub + +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth) + + diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md new file mode 100644 index 0000000000..1a2b0575d1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -0,0 +1,78 @@ +--- +title: Policy CSP - Desktop +description: Policy CSP - Desktop +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Desktop + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Desktop policies + + +**Desktop/PreventUserRedirectionOfProfileFolders** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +Prevents users from changing the path to their profile folders. + +By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box. + +If you enable this setting, users are unable to type a new location in the Target box. + + + +ADMX Info: +- GP english name: *Prohibit User from manually redirecting Profile Folders* +- GP name: *DisablePersonalDirChange* +- GP ADMX file name: *desktop.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Desktop policies supported by Microsoft Surface Hub + +- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders) + + diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md new file mode 100644 index 0000000000..a33fac0efa --- /dev/null +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -0,0 +1,147 @@ +--- +title: Policy CSP - DeviceGuard +description: Policy CSP - DeviceGuard +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - DeviceGuard + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## DeviceGuard policies + + +**DeviceGuard/EnableVirtualizationBasedSecurity** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark3check mark3cross markcross mark
+ + + +  +

Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. Supported values: +

+ + + + +**DeviceGuard/LsaCfgFlags** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark3check mark3cross markcross mark
+ + + +  +

Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. Supported values: +

+ + + + +**DeviceGuard/RequirePlatformSecurityFeatures** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark3check mark3cross markcross mark
+ + + +Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. Supported values: + +  +

+ + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## DeviceGuard policies supported by Microsoft Surface Hub + +- [DeviceGuard/AllowKernelControlFlowGuard](#None) + + diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md new file mode 100644 index 0000000000..6fe4218008 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -0,0 +1,114 @@ +--- +title: Policy CSP - DeviceInstallation +description: Policy CSP - DeviceInstallation +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - DeviceInstallation + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## DeviceInstallation policies + + +**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark3check mark3cross markcross mark
+ + + +This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + +If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. + + + +ADMX Info: +- GP english name: *Prevent installation of devices that match any of these device IDs* +- GP name: *DeviceInstall_IDs_Deny* +- GP ADMX file name: *deviceinstallation.admx* + + + + +**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark3check mark3cross markcross mark
+ + + +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + +If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. + + + +ADMX Info: +- GP english name: *Prevent installation of devices using drivers that match these device setup classes* +- GP name: *DeviceInstall_Classes_Deny* +- GP ADMX file name: *deviceinstallation.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md new file mode 100644 index 0000000000..6aedca4af1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -0,0 +1,841 @@ +--- +title: Policy CSP - DeviceLock +description: Policy CSP - DeviceLock +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - DeviceLock + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## DeviceLock policies + + +**DeviceLock/AllowIdleReturnWithoutPassword** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +  +

Specifies whether the user must input a PIN or password when the device resumes from an idle state. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + +  +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +  +

Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + +> [!IMPORTANT] +> If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period. + + + + +**DeviceLock/AllowSimpleDevicePassword** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + + + + +**DeviceLock/AlphanumericDevicePasswordRequired** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required). + +> [!NOTE] +> This policy must be wrapped in an Atomic command. +> +> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education). + + +

The following list shows the supported values: + +- 0 – Alphanumeric PIN or password required. +- 1 – Numeric PIN or password required. +- 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password. + +> [!NOTE] +> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1. +> +> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2. + +  + + + + +**DeviceLock/DevicePasswordEnabled** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether device lock is enabled. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. +> +> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. +  + +

The following list shows the supported values: + +- 0 (default) – Enabled +- 1 – Disabled + +> [!IMPORTANT] +> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect: +> +> - AllowSimpleDevicePassword +> - MinDevicePasswordLength +> - AlphanumericDevicePasswordRequired +> - MaxDevicePasswordFailedAttempts +> - MaxInactivityTimeDeviceLock +> - MinDevicePasswordComplexCharacters +  + +> [!IMPORTANT] +> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set: +> +> - MinDevicePasswordLength is set to 4 +> - MinDevicePasswordComplexCharacters is set to 1 +> +> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0: +> +> - MinDevicePasswordLength +> - MinDevicePasswordComplexCharacters + +> [!Important] +> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below: +> - **DevicePasswordEnabled** is the parent policy of the following: +> - AllowSimpleDevicePassword +> - MinDevicePasswordLength +> - AlphanumericDevicePasswordRequired +> - MinDevicePasswordComplexCharacters  +> - DevicePasswordExpiration +> - DevicePasswordHistory +> - MaxDevicePasswordFailedAttempts +> - MaxInactivityTimeDeviceLock + + + + +**DeviceLock/DevicePasswordExpiration** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies when the password expires (in days). + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

The following list shows the supported values: + +- An integer X where 0 <= X <= 730. +- 0 (default) - Passwords do not expire. + +

If all policy values = 0 then 0; otherwise, Min policy value is the most secure value. + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + + + + +**DeviceLock/DevicePasswordHistory** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies how many passwords can be stored in the history that can’t be used. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

The following list shows the supported values: + +- An integer X where 0 <= X <= 50. +- 0 (default) + +

The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords. + +

Max policy value is the most restricted. + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + + + + +**DeviceLock/EnforceLockScreenAndLogonImage** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck mark1check mark1cross markcross mark
+ + + +

Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. + +> [!NOTE] +> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro. + + +

Value type is a string, which is the full image filepath and filename. + + + + +**DeviceLock/EnforceLockScreenProvider** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck mark1check mark1
+ + + +

Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider. + +> [!NOTE] +> This policy is only enforced in Windows 10 for mobile devices. + + +

Value type is a string, which is the AppID. + + + + +**DeviceLock/MaxDevicePasswordFailedAttempts** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

This policy has different behaviors on the mobile device and desktop. + +- On a mobile device, when the user reaches the value set by this policy, then the device is wiped. +- On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. + + Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. + +

The following list shows the supported values: + +- An integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices. +- 0 (default) - The device is never wiped after an incorrect PIN or password is entered. + +

Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + + + + +**DeviceLock/MaxInactivityTimeDeviceLock** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

The following list shows the supported values: + +- An integer X where 0 <= X <= 999. +- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + + + + +**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcheck mark2check mark2
+ + + +

Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

The following list shows the supported values: + +- An integer X where 0 <= X <= 999. +- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." + + + + +**DeviceLock/MinDevicePasswordComplexCharacters** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +

The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. +> +> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. + +

PIN enforces the following behavior for desktop and mobile devices: + +- 1 - Digits only +- 2 - Digits and lowercase letters are required +- 3 - Digits, lowercase letters, and uppercase letters are required +- 4 - Digits, lowercase letters, uppercase letters, and special characters are required + +

The default value is 1. The following list shows the supported values and actual enforced values: + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Account TypeSupported ValuesActual Enforced Values

Mobile

1,2,3,4

Same as the value set

Desktop Local Accounts

1,2,3

3

Desktop Microsoft Accounts

1,2

Desktop Domain Accounts

Not supported

Not supported

+ + +

Enforced values for Local and Microsoft Accounts: + +- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3. +- Passwords for local accounts must meet the following minimum requirements: + + - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters + - Be at least six characters in length + - Contain characters from three of the following four categories: + + - English uppercase characters (A through Z) + - English lowercase characters (a through z) + - Base 10 digits (0 through 9) + - Special characters (!, $, \#, %, etc.) + +

The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant. + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). + + + + +**DeviceLock/MinDevicePasswordLength** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies the minimum number or characters required in the PIN or password. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. +> +> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. + + +

The following list shows the supported values: + +- An integer X where 4 <= X <= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6. +- Not enforced. +- The default value is 4 for mobile devices and desktop devices. + +

Max policy value is the most restricted. + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). + + + + +**DeviceLock/PreventLockScreenSlideShow** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. + +By default, users can enable a slide show that will run after they lock the machine. + +If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start. + + + +ADMX Info: +- GP english name: *Prevent enabling lock screen slide show* +- GP name: *CPL_Personalization_NoLockScreenSlideshow* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + + +**DeviceLock/ScreenTimeoutWhileLocked** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. +  +

Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices. + +

Minimum supported value is 10. + +

Maximum supported value is 1800. + +

The default value is 10. + +

Most restricted value is 0. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## DeviceLock policies that can be set using Exchange Active Sync (EAS) + +- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) +- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) +- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) +- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow) + + + +## DeviceLock policies supported by Windows Holographic for Business + +- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword) +- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) + + diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md new file mode 100644 index 0000000000..142be5ef59 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-display.md @@ -0,0 +1,118 @@ +--- +title: Policy CSP - Display +description: Policy CSP - Display +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Display + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Display policies + + +**Display/TurnOffGdiDPIScalingForApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +

GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. + +

This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off. + +

If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. + +

If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications. + +

If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. + +

To validate on Desktop, do the following: + +1. Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms. +2. Run the app and observe blurry text. + + + + +**Display/TurnOnGdiDPIScalingForApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +

GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. + +

This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on. + +

If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list. + +

If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. + +

If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. + +

To validate on Desktop, do the following: + +1. Configure the setting for an app which uses GDI. +2. Run the app and observe crisp text. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md new file mode 100644 index 0000000000..76c623cf52 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -0,0 +1,240 @@ +--- +title: Policy CSP - EnterpriseCloudPrint +description: Policy CSP - EnterpriseCloudPrint +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - EnterpriseCloudPrint + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## EnterpriseCloudPrint policies + + +**EnterpriseCloudPrint/CloudPrintOAuthAuthority** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. + +

The datatype is a string. + +

The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs". + + + + +**EnterpriseCloudPrint/CloudPrintOAuthClientId** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. + +

The datatype is a string. + +

The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714". + + + + +**EnterpriseCloudPrint/CloudPrintResourceId** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. + +

The datatype is a string. + +

The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint". + + + + +**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. + +

The datatype is a string. + +

The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com". + + + + +**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcheck mark2check mark2
+ + + +

Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. + +

The datatype is an integer. + +

For Windows Mobile, the default value is 20. + + + + +**EnterpriseCloudPrint/MopriaDiscoveryResourceId** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. + +

The datatype is a string. + +

The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint". + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md new file mode 100644 index 0000000000..9420ab52aa --- /dev/null +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -0,0 +1,254 @@ +--- +title: Policy CSP - ErrorReporting +description: Policy CSP - ErrorReporting +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - ErrorReporting + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## ErrorReporting policies + + +**ErrorReporting/CustomizeConsentSettings** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +This policy setting determines the consent behavior of Windows Error Reporting for specific event types. + +If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. + +- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. + +- 1 (Always ask before sending data): Windows prompts the user for consent to send reports. + +- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft. + +- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. + +- 4 (Send all data): Any data requested by Microsoft is sent automatically. + +If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. + + + +ADMX Info: +- GP english name: *Customize consent settings* +- GP name: *WerConsentCustomize_2* +- GP ADMX file name: *ErrorReporting.admx* + + + + +**ErrorReporting/DisableWindowsErrorReporting** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. + +If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. + +If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. + + + +ADMX Info: +- GP english name: *Disable Windows Error Reporting* +- GP name: *WerDisable_2* +- GP ADMX file name: *ErrorReporting.admx* + + + + +**ErrorReporting/DisplayErrorNotification** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +This policy setting controls whether users are shown an error dialog box that lets them report an error. + +If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error. + +If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users. + +If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server. + +See also the Configure Error Reporting policy setting. + + + +ADMX Info: +- GP english name: *Display Error Notification* +- GP name: *PCH_ShowUI* +- GP ADMX file name: *ErrorReporting.admx* + + + + +**ErrorReporting/DoNotSendAdditionalData** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. + +If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. + +If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. + + + +ADMX Info: +- GP english name: *Do not send additional data* +- GP name: *WerNoSecondLevelData_2* +- GP ADMX file name: *ErrorReporting.admx* + + + + +**ErrorReporting/PreventCriticalErrorDisplay** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +This policy setting prevents the display of the user interface for critical errors. + +If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors. + +If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors. + + + +ADMX Info: +- GP english name: *Prevent display of the user interface for critical errors* +- GP name: *WerDoNotShowUI* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md new file mode 100644 index 0000000000..a7d3d8bcf3 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -0,0 +1,200 @@ +--- +title: Policy CSP - EventLogService +description: Policy CSP - EventLogService +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - EventLogService + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## EventLogService policies + + +**EventLogService/ControlEventLogBehavior** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +This policy setting controls Event Log behavior when the log file reaches its maximum size. + +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + + +ADMX Info: +- GP english name: *Control Event Log behavior when the log file reaches its maximum size* +- GP name: *Channel_Log_Retention_1* +- GP ADMX file name: *eventlog.admx* + + + + +**EventLogService/SpecifyMaximumFileSizeApplicationLog** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +This policy setting specifies the maximum size of the log file in kilobytes. + +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. + +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. + + + +ADMX Info: +- GP english name: *Specify the maximum log file size (KB)* +- GP name: *Channel_LogMaxSize_1* +- GP ADMX file name: *eventlog.admx* + + + + +**EventLogService/SpecifyMaximumFileSizeSecurityLog** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +This policy setting specifies the maximum size of the log file in kilobytes. + +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. + +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. + + + +ADMX Info: +- GP english name: *Specify the maximum log file size (KB)* +- GP name: *Channel_LogMaxSize_2* +- GP ADMX file name: *eventlog.admx* + + + + +**EventLogService/SpecifyMaximumFileSizeSystemLog** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +This policy setting specifies the maximum size of the log file in kilobytes. + +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. + +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. + + + +ADMX Info: +- GP english name: *Specify the maximum log file size (KB)* +- GP name: *Channel_LogMaxSize_4* +- GP ADMX file name: *eventlog.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md new file mode 100644 index 0000000000..d0a5edf221 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -0,0 +1,782 @@ +--- +title: Policy CSP - Experience +description: Policy CSP - Experience +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Experience + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Experience policies + + +**Experience/AllowCopyPaste** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +

Specifies whether copy and paste is allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Experience/AllowCortana** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + +

Benefit to the customer: + +

Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive. + +

Sample scenario: + +

An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more. + + + + +**Experience/AllowDeviceDiscovery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allows users to turn on/off device discovery UX. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on. + +

Most restricted value is 0. + + + + +**Experience/AllowManualMDMUnenrollment** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether to allow the user to delete the workplace account using the workplace control panel. + +> [!NOTE] +> The MDM server can always remotely delete the account. + + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Experience/AllowSIMErrorDialogPromptWhenNoSIM** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Specifies whether to display dialog prompt when no SIM card is detected. + +

The following list shows the supported values: + +- 0 – SIM card dialog prompt is not displayed. +- 1 (default) – SIM card dialog prompt is displayed. + + + + +**Experience/AllowScreenCapture** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Specifies whether screen capture is allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Experience/AllowSyncMySettings** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). + +

The following list shows the supported values: + +- 0 – Sync settings is not allowed. +- 1 (default) – Sync settings allowed. + + + + +**Experience/AllowTailoredExperiencesWithDiagnosticData** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + +

Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. + +

Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value. + +> **Note** This setting does not control Cortana cutomized experiences because there are separate policies to configure it. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Experience/AllowTaskSwitcher** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Allows or disallows task switching on the device. + +

The following list shows the supported values: + +- 0 – Task switching not allowed. +- 1 (default) – Task switching allowed. + + + + +**Experience/AllowThirdPartySuggestionsInWindowsSpotlight** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. + + +

Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services. + +

The following list shows the supported values: + +- 0 – Third-party suggestions not allowed. +- 1 (default) – Third-party suggestions allowed. + + + + +**Experience/AllowVoiceRecording** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Specifies whether voice recording is allowed for apps. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Experience/AllowWindowsConsumerFeatures** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles. + +> [!IMPORTANT] +> This node must be accessed using the following paths: +> +> - **./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures** to set the policy. +> - **./User/Vendor/MSFT/Policy/Result/Experience/AllowWindowsConsumerFeatures** to get the result. + +  +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 – Allowed. + +

Most restricted value is 0. + + + + +**Experience/AllowWindowsSpotlight** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is only available for Windows 10 Enterprise and Windows 10 Education. + + +

Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Experience/AllowWindowsSpotlightOnActionCenter** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + +

Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Experience/AllowWindowsSpotlightWindowsWelcomeExperience** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + +

Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. +The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Experience/AllowWindowsTips** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +Enables or disables Windows Tips / soft landing. + +

The following list shows the supported values: + +- 0 – Disabled. +- 1 (default) – Enabled. + + + + +**Experience/ConfigureWindowsSpotlightOnLockScreen** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is only available for Windows 10 Enterprise and Windows 10 Education. + + +

Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1. + +

The following list shows the supported values: + +- 0 – None. +- 1 (default) – Windows spotlight enabled. +- 2 – placeholder only for future extension. Using this value has no effect. + + + + +**Experience/DoNotShowFeedbackNotifications** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Prevents devices from showing feedback questions from Microsoft. + +

If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback. + +

If you disable or do not configure this policy setting, users can control how often they receive feedback questions. + +

The following list shows the supported values: + +- 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. +- 1 – Feedback notifications are disabled. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Experience policies supported by Windows Holographic for Business + +- [Experience/AllowCortana](#experience-allowcortana) +- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) + + diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md new file mode 100644 index 0000000000..65d798cab5 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-games.md @@ -0,0 +1,61 @@ +--- +title: Policy CSP - Games +description: Policy CSP - Games +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Games + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Games policies + + +**Games/AllowAdvancedGamingServices** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Placeholder only. Currently not supported. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md new file mode 100644 index 0000000000..096bb1b61b --- /dev/null +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -0,0 +1,8012 @@ +--- +title: Policy CSP - InternetExplorer +description: Policy CSP - InternetExplorer +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - InternetExplorer + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## InternetExplorer policies + + +**InternetExplorer/AddSearchProvider** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website. + +If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. + +If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. + + + +ADMX Info: +- GP english name: *Add a specific list of search providers to the user's list of search providers* +- GP name: *AddSearchProvider* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowActiveXFiltering** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly. + +If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions. + +If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. + + + +ADMX Info: +- GP english name: *Turn on ActiveX Filtering* +- GP name: *TurnOnActiveXFiltering* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowAddOnList** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages. + +This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied. + +If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information: + +Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. + +Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. + +If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. + + + +ADMX Info: +- GP english name: *Add-on List* +- GP name: *AddonManagement_AddOnList* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowAutoComplete** + + + + +ADMX Info: +- GP english name: *Turn on the auto-complete feature for user names and passwords on forms* +- GP name: *RestrictFormSuggestPW* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowCertificateAddressMismatchWarning** + + + + +ADMX Info: +- GP english name: *Turn on certificate address mismatch warning* +- GP name: *IZ_PolicyWarnCertMismatch* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowDeletingBrowsingHistoryOnExit** + + + + +ADMX Info: +- GP english name: *Allow deleting browsing history on exit* +- GP name: *DBHDisableDeleteOnExit* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowEnhancedProtectedMode** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. + +If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode. + +If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista. + +If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. + + + +ADMX Info: +- GP english name: *Turn on Enhanced Protected Mode* +- GP name: *Advanced_EnableEnhancedProtectedMode* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowEnterpriseModeFromToolsMenu** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu. + +If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports. + +If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. + + + +ADMX Info: +- GP english name: *Let users turn on and use Enterprise Mode from the Tools menu* +- GP name: *EnterpriseModeEnable* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowEnterpriseModeSiteList** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list. + +If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE. + +If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. + + + +ADMX Info: +- GP english name: *Use the Enterprise Mode IE website list* +- GP name: *EnterpriseModeSiteList* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowFallbackToSSL3** + + + + +ADMX Info: +- GP english name: *Allow fallback to SSL 3.0 (Internet Explorer)* +- GP name: *Advanced_EnableSSL3Fallback* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowInternetExplorer7PolicyList** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View. + +If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify. + +If you disable or do not configure this policy setting, the user can add and remove sites from the list. + + + +ADMX Info: +- GP english name: *Use Policy List of Internet Explorer 7 sites* +- GP name: *CompatView_UsePolicyList* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowInternetExplorerStandardsMode** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. + +If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box. + +If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box. + +If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. + + + +ADMX Info: +- GP english name: *Turn on Internet Explorer Standards Mode for local intranet* +- GP name: *CompatView_IntranetSites* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowInternetZoneTemplate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + +ADMX Info: +- GP english name: *Internet Zone Template* +- GP name: *IZ_PolicyInternetZoneTemplate* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowIntranetZoneTemplate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + +ADMX Info: +- GP english name: *Intranet Zone Template* +- GP name: *IZ_PolicyIntranetZoneTemplate* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowLocalMachineZoneTemplate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + +ADMX Info: +- GP english name: *Local Machine Zone Template* +- GP name: *IZ_PolicyLocalMachineZoneTemplate* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowLockedDownInternetZoneTemplate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + +ADMX Info: +- GP english name: *Locked-Down Internet Zone Template* +- GP name: *IZ_PolicyInternetZoneLockdownTemplate* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowLockedDownIntranetZoneTemplate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + +ADMX Info: +- GP english name: *Locked-Down Intranet Zone Template* +- GP name: *IZ_PolicyIntranetZoneLockdownTemplate* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + +ADMX Info: +- GP english name: *Locked-Down Local Machine Zone Template* +- GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + +ADMX Info: +- GP english name: *Locked-Down Restricted Sites Zone Template* +- GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowOneWordEntry** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar. + +If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available. + +If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. + + + +ADMX Info: +- GP english name: *Go to an intranet site for a one-word entry in the Address bar* +- GP name: *UseIntranetSiteForOneWordEntry* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowSiteToZoneAssignmentList** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone. + +Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.) + +If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information: + +Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. + +Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. + +If you disable or do not configure this policy, users may choose their own site-to-zone assignments. + + + +ADMX Info: +- GP english name: *Site to Zone Assignment List* +- GP name: *IZ_Zonemaps* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowSoftwareWhenSignatureIsInvalid** + + + + +ADMX Info: +- GP english name: *Allow software to run or install even if the signature is invalid* +- GP name: *Advanced_InvalidSignatureBlock* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowSuggestedSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit. + +If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions. + +If you disable this policy setting, the entry points and functionality associated with this feature are turned off. + +If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. + + + +ADMX Info: +- GP english name: *Turn on Suggested Sites* +- GP name: *EnableSuggestedSites* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowTrustedSitesZoneTemplate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + +ADMX Info: +- GP english name: *Trusted Sites Zone Template* +- GP name: *IZ_PolicyTrustedSitesZoneTemplate* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + +ADMX Info: +- GP english name: *Locked-Down Trusted Sites Zone Template* +- GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowsRestrictedSitesZoneTemplate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + +ADMX Info: +- GP english name: *Restricted Sites Zone Template* +- GP name: *IZ_PolicyRestrictedSitesZoneTemplate* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/CheckServerCertificateRevocation** + + + + +ADMX Info: +- GP english name: *Check for server certificate revocation* +- GP name: *Advanced_CertificateRevocation* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/CheckSignaturesOnDownloadedPrograms** + + + + +ADMX Info: +- GP english name: *Check for signatures on downloaded programs* +- GP name: *Advanced_DownloadSignatures* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses** + + + + +ADMX Info: +- GP english name: *Internet Explorer Processes* +- GP name: *IESF_PolicyExplorerProcesses_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableAdobeFlash** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. + +If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings. + +If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box. + +Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. + + + +ADMX Info: +- GP english name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects* +- GP name: *DisableFlashInIE* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableBlockingOfOutdatedActiveXControls** + + + + +ADMX Info: +- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer* +- GP name: *VerMgmtDisable* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableBypassOfSmartScreenWarnings** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. + +If you enable this policy setting, SmartScreen Filter warnings block the user. + +If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. + + + +ADMX Info: +- GP english name: *Prevent bypassing SmartScreen Filter warnings* +- GP name: *DisableSafetyFilterOverride* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. + +If you enable this policy setting, SmartScreen Filter warnings block the user. + +If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. + + + +ADMX Info: +- GP english name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet* +- GP name: *DisableSafetyFilterOverrideForAppRepUnknown* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableConfiguringHistory** + + + + +ADMX Info: +- GP english name: *Disable "Configuring History"* +- GP name: *RestrictHistory* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableCrashDetection** + + + + +ADMX Info: +- GP english name: *Turn off Crash Detection* +- GP name: *AddonManagement_RestrictCrashDetection* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP). + +If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. + +If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. + +If you do not configure this policy setting, the user can choose to participate in the CEIP. + + + +ADMX Info: +- GP english name: *Prevent participation in the Customer Experience Improvement Program* +- GP name: *SQM_DisableCEIP* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableDeletingUserVisitedWebsites** + + + + +ADMX Info: +- GP english name: *Prevent deleting websites that the user has visited* +- GP name: *DBHDisableDeleteHistory* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableEnclosureDownloading** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. + +If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. + +If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. + + + +ADMX Info: +- GP english name: *Prevent downloading of enclosures* +- GP name: *Disable_Downloading_of_Enclosures* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableEncryptionSupport** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match. + +If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list. + +If you disable or do not configure this policy setting, the user can select which encryption method the browser supports. + +Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. + + + +ADMX Info: +- GP english name: *Turn off encryption support* +- GP name: *Advanced_SetWinInetProtocols* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableFirstRunWizard** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. + +If you enable this policy setting, you must make one of the following choices: +Skip the First Run wizard, and go directly to the user's home page. +Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. + +Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen. + +If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. + + + +ADMX Info: +- GP english name: *Prevent running First Run wizard* +- GP name: *NoFirstRunCustomise* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableFlipAheadFeature** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. + +Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop. + +If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background. + +If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background. + +If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. + + + +ADMX Info: +- GP english name: *Turn off the flip ahead with page prediction feature* +- GP name: *Advanced_DisableFlipAhead* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableHomePageChange** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run. + +If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies. + +If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. + + + +ADMX Info: +- GP english name: *Disable changing home page settings* +- GP name: *RestrictHomePage* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableIgnoringCertificateErrors** + + + + +ADMX Info: +- GP english name: *Prevent ignoring certificate errors* +- GP name: *NoCertError* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableInPrivateBrowsing** + + + + +ADMX Info: +- GP english name: *Turn off InPrivate Browsing* +- GP name: *DisableInPrivateBrowsing* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableProcessesInEnhancedProtectedMode** + + + + +ADMX Info: +- GP english name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows* +- GP name: *Advanced_EnableEnhancedProtectedMode64Bit* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableProxyChange** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting specifies if a user can change proxy settings. + +If you enable this policy setting, the user will not be able to configure proxy settings. + +If you disable or do not configure this policy setting, the user can configure proxy settings. + + + +ADMX Info: +- GP english name: *Prevent changing proxy settings* +- GP name: *RestrictProxy* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableSearchProviderChange** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box. + +If you enable this policy setting, the user cannot change the default search provider. + +If you disable or do not configure this policy setting, the user can change the default search provider. + + + +ADMX Info: +- GP english name: *Prevent changing the default search provider* +- GP name: *NoSearchProvider* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableSecondaryHomePageChange** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages. + +If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages. + +If you disable or do not configure this policy setting, the user can add secondary home pages. + +Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages. + + + +ADMX Info: +- GP english name: *Disable changing secondary home page settings* +- GP name: *SecondaryHomePages* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableSecuritySettingsCheck** + + + + +ADMX Info: +- GP english name: *Turn off the Security Settings Check feature* +- GP name: *Disable_Security_Settings_Check* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableUpdateCheck** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +Prevents Internet Explorer from checking whether a new version of the browser is available. + +If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available. + +If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available. + +This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. + + + +ADMX Info: +- GP english name: *Disable Periodic Check for Internet Explorer software updates* +- GP name: *NoUpdateCheck* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode** + + + + +ADMX Info: +- GP english name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled* +- GP name: *Advanced_DisableEPMCompat* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DoNotAllowUsersToAddSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. + +If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.) + +If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone. + +This policy prevents users from changing site management settings for security zones established by the administrator. + +Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. + +Also, see the "Security zones: Use only machine settings" policy. + + + +ADMX Info: +- GP english name: *Security Zones: Do not allow users to add/delete sites* +- GP name: *Security_zones_map_edit* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DoNotAllowUsersToChangePolicies** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. + +If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. + +If you disable this policy or do not configure it, users can change the settings for security zones. + +This policy prevents users from changing security zone settings established by the administrator. + +Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. + +Also, see the "Security zones: Use only machine settings" policy. + + + +ADMX Info: +- GP english name: *Security Zones: Do not allow users to change policies* +- GP name: *Security_options_edit* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DoNotBlockOutdatedActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. + +If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls. + +If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls. + +For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. + + + +ADMX Info: +- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer* +- GP name: *VerMgmtDisable* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. + +If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: + +1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" +2. "hostname". For example, if you want to include http://example, use "example" +3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm" + +If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. + +For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. + + + +ADMX Info: +- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains* +- GP name: *VerMgmtDomainAllowlist* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IncludeAllLocalSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. + +If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone. + +If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone). + +If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. + + + +ADMX Info: +- GP english name: *Intranet Sites: Include all local (intranet) sites not listed in other zones* +- GP name: *IZ_IncludeUnspecifiedLocalSites* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IncludeAllNetworkPaths** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. + +If you enable this policy setting, all network paths are mapped into the Intranet Zone. + +If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there). + +If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. + + + +ADMX Info: +- GP english name: *Intranet Sites: Include all network paths (UNCs)* +- GP name: *IZ_UNCAsIntranet* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowAccessToDataSources** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowCopyPasteViaScript** + + + + +ADMX Info: +- GP english name: *Allow cut, copy or paste operations from the clipboard via script* +- GP name: *IZ_PolicyAllowPasteViaScript_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles** + + + + +ADMX Info: +- GP english name: *Allow drag and drop or copy and paste files* +- GP name: *IZ_PolicyDropOrPasteFiles_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowFontDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowLessPrivilegedSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowLoadingOfXAMLFilesWRONG** + + + + +ADMX Info: +- GP english name: *Allow loading of XAML files* +- GP name: *IZ_Policy_XAML_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls** + + + + +ADMX Info: +- GP english name: *Allow only approved domains to use ActiveX controls without prompt* +- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Intranet* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl** + + + + +ADMX Info: +- GP english name: *Allow only approved domains to use the TDC ActiveX control* +- GP name: *IZ_PolicyAllowTDCControl_Both_LocalMachine* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowScriptInitiatedWindows** + + + + +ADMX Info: +- GP english name: *Allow script-initiated windows without size or position constraints* +- GP name: *IZ_PolicyWindowsRestrictionsURLaction_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls** + + + + +ADMX Info: +- GP english name: *Allow scripting of Internet Explorer WebBrowser controls* +- GP name: *IZ_Policy_WebBrowserControl_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowScriptlets** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowSmartScreenIE** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript** + + + + +ADMX Info: +- GP english name: *Allow updates to status bar via script* +- GP name: *IZ_Policy_ScriptStatusBar_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowUserDataPersistence** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1** + + + + +ADMX Info: +- GP english name: *Don't run antimalware programs against ActiveX controls* +- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2** + + + + +ADMX Info: +- GP english name: *Don't run antimalware programs against ActiveX controls* +- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneDownloadSignedActiveXControls** + + + + +ADMX Info: +- GP english name: *Download signed ActiveX controls* +- GP name: *IZ_PolicyDownloadSignedActiveX_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneDownloadUnsignedActiveXControls** + + + + +ADMX Info: +- GP english name: *Download unsigned ActiveX controls* +- GP name: *IZ_PolicyDownloadUnsignedActiveX_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter** + + + + +ADMX Info: +- GP english name: *Turn on Cross-Site Scripting Filter* +- GP name: *IZ_PolicyTurnOnXSSFilter_Both_LocalMachine* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows** + + + + +ADMX Info: +- GP english name: *Enable dragging of content from different domains across windows* +- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows** + + + + +ADMX Info: +- GP english name: *Enable dragging of content from different domains within a window* +- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneEnableMIMESniffing** + + + + +ADMX Info: +- GP english name: *Enable MIME Sniffing* +- GP name: *IZ_PolicyMimeSniffingURLaction_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneEnableProtectedMode** + + + + +ADMX Info: +- GP english name: *Turn on Protected Mode* +- GP name: *IZ_Policy_TurnOnProtectedMode_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer** + + + + +ADMX Info: +- GP english name: *Include local path when user is uploading files to a server* +- GP name: *IZ_Policy_LocalPathForUpload_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe** + + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneJavaPermissionsWRONG1** + + + + +ADMX Info: +- GP english name: *Java permissions* +- GP name: *IZ_PolicyJavaPermissions_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneJavaPermissionsWRONG2** + + + + +ADMX Info: +- GP english name: *Java permissions* +- GP name: *IZ_PolicyJavaPermissions_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME** + + + + +ADMX Info: +- GP english name: *Launching applications and files in an IFRAME* +- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneLogonOptions** + + + + +ADMX Info: +- GP english name: *Logon options* +- GP name: *IZ_PolicyLogon_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneNavigateWindowsAndFrames** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode** + + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode** + + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components signed with Authenticode* +- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles** + + + + +ADMX Info: +- GP english name: *Show security warning for potentially unsafe files* +- GP name: *IZ_Policy_UnsafeFiles_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneUsePopupBlocker** + + + + +ADMX Info: +- GP english name: *Use Pop-up Blocker* +- GP name: *IZ_PolicyBlockPopupWindows_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone** + + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowAccessToDataSources** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowFontDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowLessPrivilegedSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowScriptlets** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowSmartScreenIE** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowUserDataPersistence** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneNavigateWindowsAndFrames** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowAccessToDataSources** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowFontDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowScriptlets** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowSmartScreenIE** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowUserDataPersistence** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls** + + + + +ADMX Info: +- GP english name: *Don't run antimalware programs against ActiveX controls* +- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneJavaPermissions** + + + + +ADMX Info: +- GP english name: *Java permissions* +- GP name: *IZ_PolicyJavaPermissions_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowFontDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowScriptlets** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneJavaPermissions** + + + + +ADMX Info: +- GP english name: *Java permissions* +- GP name: *IZ_PolicyJavaPermissions_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_4* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_4* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_4* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_4* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowScriptlets** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_4* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_4* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_4* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_10* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_10* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_10* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_10* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_10* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_10* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_10* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneJavaPermissions** + + + + +ADMX Info: +- GP english name: *Java permissions* +- GP name: *IZ_PolicyJavaPermissions_10* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_8* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_8* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_8* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_8* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_8* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_8* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_8* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions** + + + + +ADMX Info: +- GP english name: *Java permissions* +- GP name: *IZ_PolicyJavaPermissions_8* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. + +If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions** + + + + +ADMX Info: +- GP english name: *Java permissions* +- GP name: *IZ_PolicyJavaPermissions_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses** + + + + +ADMX Info: +- GP english name: *Internet Explorer Processes* +- GP name: *IESF_PolicyExplorerProcesses_3* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses** + + + + +ADMX Info: +- GP english name: *Internet Explorer Processes* +- GP name: *IESF_PolicyExplorerProcesses_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/NotificationBarInternetExplorerProcesses** + + + + +ADMX Info: +- GP english name: *Internet Explorer Processes* +- GP name: *IESF_PolicyExplorerProcesses_10* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/PreventManagingSmartScreenFilter** + + + + +ADMX Info: +- GP english name: *Download signed ActiveX controls* +- GP name: *IZ_PolicyDownloadSignedActiveX_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/PreventPerUserInstallationOfActiveXControls** + + + + +ADMX Info: +- GP english name: *Prevent per-user installation of ActiveX controls* +- GP name: *DisablePerUserActiveXInstall* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses** + + + + +ADMX Info: +- GP english name: *All Processes* +- GP name: *IESF_PolicyAllProcesses_9* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls** + + + + +ADMX Info: +- GP english name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer * +- GP name: *VerMgmtDisableRunThisTime* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses** + + + + +ADMX Info: +- GP english name: *All Processes* +- GP name: *IESF_PolicyAllProcesses_11* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictFileDownloadInternetExplorerProcesses** + + + + +ADMX Info: +- GP english name: *All Processes* +- GP name: *IESF_PolicyAllProcesses_12* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowActiveScripting** + + + + +ADMX Info: +- GP english name: *Allow active scripting* +- GP name: *IZ_PolicyActiveScripting_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors** + + + + +ADMX Info: +- GP english name: *Allow binary and script behaviors* +- GP name: *IZ_PolicyBinaryBehaviors_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript** + + + + +ADMX Info: +- GP english name: *Allow cut, copy or paste operations from the clipboard via script* +- GP name: *IZ_PolicyAllowPasteViaScript_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles** + + + + +ADMX Info: +- GP english name: *Allow drag and drop or copy and paste files* +- GP name: *IZ_PolicyDropOrPasteFiles_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowFileDownloads** + + + + +ADMX Info: +- GP english name: *Allow file downloads* +- GP name: *IZ_PolicyFileDownload_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowFontDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. + + + + +**InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG1** + + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG2** + + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles** + + + + +ADMX Info: +- GP english name: *Allow loading of XAML files* +- GP name: *IZ_Policy_XAML_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH** + + + + +ADMX Info: +- GP english name: *Allow META REFRESH* +- GP name: *IZ_PolicyAllowMETAREFRESH_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls** + + + + +ADMX Info: +- GP english name: *Allow only approved domains to use ActiveX controls without prompt* +- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl** + + + + +ADMX Info: +- GP english name: *Allow only approved domains to use the TDC ActiveX control* +- GP name: *IZ_PolicyAllowTDCControl_Both_Restricted* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows** + + + + +ADMX Info: +- GP english name: *Allow script-initiated windows without size or position constraints* +- GP name: *IZ_PolicyWindowsRestrictionsURLaction_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls** + + + + +ADMX Info: +- GP english name: *Allow scripting of Internet Explorer WebBrowser controls* +- GP name: *IZ_Policy_WebBrowserControl_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowScriptlets** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript** + + + + +ADMX Info: +- GP english name: *Allow updates to status bar via script* +- GP name: *IZ_Policy_ScriptStatusBar_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls** + + + + +ADMX Info: +- GP english name: *Don't run antimalware programs against ActiveX controls* +- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls** + + + + +ADMX Info: +- GP english name: *Download signed ActiveX controls* +- GP name: *IZ_PolicyDownloadSignedActiveX_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls** + + + + +ADMX Info: +- GP english name: *Download unsigned ActiveX controls* +- GP name: *IZ_PolicyDownloadUnsignedActiveX_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows** + + + + +ADMX Info: +- GP english name: *Enable dragging of content from different domains across windows* +- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows** + + + + +ADMX Info: +- GP english name: *Enable dragging of content from different domains within a window* +- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneEnableMIMESniffing** + + + + +ADMX Info: +- GP english name: *Enable MIME Sniffing* +- GP name: *IZ_PolicyMimeSniffingURLaction_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer** + + + + +ADMX Info: +- GP english name: *Include local path when user is uploading files to a server* +- GP name: *IZ_Policy_LocalPathForUpload_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneJavaPermissions** + + + + +ADMX Info: +- GP english name: *Java permissions* +- GP name: *IZ_PolicyJavaPermissions_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME** + + + + +ADMX Info: +- GP english name: *Launching applications and files in an IFRAME* +- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneLogonOptions** + + + + +ADMX Info: +- GP english name: *Logon options* +- GP name: *IZ_PolicyLogon_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. + +If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains** + + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins** + + + + +ADMX Info: +- GP english name: *Run ActiveX controls and plugins* +- GP name: *IZ_PolicyRunActiveXControls_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode** + + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components signed with Authenticode* +- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting** + + + + +ADMX Info: +- GP english name: *Script ActiveX controls marked safe for scripting* +- GP name: *IZ_PolicyScriptActiveXMarkedSafe_1* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneWRONG** + + + + +ADMX Info: +- GP english name: *Scripting of Java applets* +- GP name: *IZ_PolicyScriptingOfJavaApplets_6* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneWRONG2** + + + + +ADMX Info: +- GP english name: *Show security warning for potentially unsafe files* +- GP name: *IZ_Policy_UnsafeFiles_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneWRONG3** + + + + +ADMX Info: +- GP english name: *Turn on Cross-Site Scripting Filter* +- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneWRONG4** + + + + +ADMX Info: +- GP english name: *Turn on Protected Mode* +- GP name: *IZ_Policy_TurnOnProtectedMode_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneWRONG5** + + + + +ADMX Info: +- GP english name: *Use Pop-up Blocker* +- GP name: *IZ_PolicyBlockPopupWindows_7* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses** + + + + +ADMX Info: +- GP english name: *All Processes* +- GP name: *IESF_PolicyAllProcesses_8* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/SearchProviderList** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website. + +If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. + +If you disable or do not configure this policy setting, the user can configure his or her list of search providers. + + + +ADMX Info: +- GP english name: *Restrict search providers to a specific list* +- GP name: *SpecificSearchProvider* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/SecurityZonesUseOnlyMachineSettings** + + + + +ADMX Info: +- GP english name: *Security Zones: Use only machine settings * +- GP name: *Security_HKLM_only* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/SpecifyUseOfActiveXInstallerService** + + + + +ADMX Info: +- GP english name: *Specify use of ActiveX Installer Service for installation of ActiveX controls* +- GP name: *OnlyUseAXISForActiveXInstall* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_5* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_5* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowFontDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_5* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_5* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowScriptlets** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_5* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_5* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_5* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneJavaPermissions** + + + + +ADMX Info: +- GP english name: *Java permissions* +- GP name: *IZ_PolicyJavaPermissions_5* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneWRONG1** + + + + +ADMX Info: +- GP english name: *Don't run antimalware programs against ActiveX controls* +- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneWRONG2** + + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5* +- GP ADMX file name: *inetres.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md new file mode 100644 index 0000000000..a8fbdb51d5 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -0,0 +1,247 @@ +--- +title: Policy CSP - Kerberos +description: Policy CSP - Kerberos +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Kerberos + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Kerberos policies + + +**Kerberos/AllowForestSearchOrder** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). + +If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. + +If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. + + + +ADMX Info: +- GP english name: *Use forest search order* +- GP name: *ForestSearch* +- GP ADMX file name: *Kerberos.admx* + + + + +**Kerberos/KerberosClientSupportsClaimsCompoundArmor** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. +If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. + +If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. + + + +ADMX Info: +- GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring* +- GP name: *EnableCbacAndArmor* +- GP ADMX file name: *Kerberos.admx* + + + + +**Kerberos/RequireKerberosArmoring** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. + +Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. + +If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. + +Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. + +If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. + + + +ADMX Info: +- GP english name: *Fail authentication requests when Kerberos armoring is not available* +- GP name: *ClientRequireFast* +- GP ADMX file name: *Kerberos.admx* + + + + +**Kerberos/RequireStrictKDCValidation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. + +If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. + +If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. + + + +ADMX Info: +- GP english name: *Require strict KDC validation* +- GP name: *ValidateKDC* +- GP ADMX file name: *Kerberos.admx* + + + + +**Kerberos/SetMaximumContextTokenSize** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. + +The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. + +If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. + +If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. + +Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. + + + +ADMX Info: +- GP english name: *Set maximum Kerberos SSPI context token buffer size* +- GP name: *MaxTokenSize* +- GP ADMX file name: *Kerberos.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md new file mode 100644 index 0000000000..8c80b8d3a3 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -0,0 +1,102 @@ +--- +title: Policy CSP - Licensing +description: Policy CSP - Licensing +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Licensing + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Licensing policies + + +**Licensing/AllowWindowsEntitlementReactivation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +

Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices. + +

The following list shows the supported values: + +- 0 – Disable Windows license reactivation on managed devices. +- 1 (default) – Enable Windows license reactivation on managed devices. + + + + +**Licensing/DisallowKMSClientOnlineAVSValidation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +

Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. + +

The following list shows the supported values: + +- 0 (default) – Disabled. +- 1 – Enabled. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md new file mode 100644 index 0000000000..f645587446 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-location.md @@ -0,0 +1,74 @@ +--- +title: Policy CSP - Location +description: Policy CSP - Location +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Location + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Location policies + + +**Location/EnableLocation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page. + +> [!IMPORTANT] +> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy. + +

The following list shows the supported values: + +- 0 (default) – Disabled. +- 1 – Enabled. + +

To validate on Desktop, do the following: + +1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected. +2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md new file mode 100644 index 0000000000..25dc0413fe --- /dev/null +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -0,0 +1,68 @@ +--- +title: Policy CSP - LockDown +description: Policy CSP - LockDown +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - LockDown + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## LockDown policies + + +**LockDown/AllowEdgeSwipe** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +

Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch. + +

The following list shows the supported values: + +- 0 - disallow edge swipe. +- 1 (default, not configured) - allow edge swipe. + +

The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md new file mode 100644 index 0000000000..71023a8d83 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -0,0 +1,108 @@ +--- +title: Policy CSP - Maps +description: Policy CSP - Maps +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Maps + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Maps policies + + +**Maps/AllowOfflineMapsDownloadOverMeteredConnection** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Allows the download and update of map data over metered connections. + +

The following list shows the supported values: + +- 65535 (default) – Not configured. User's choice. +- 0 – Disabled. Force disable auto-update over metered connection. +- 1 – Enabled. Force enable auto-update over metered connection. + +

After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. + + + + +**Maps/EnableOfflineMapsAutoUpdate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Disables the automatic download and update of map data. + +

The following list shows the supported values: + +- 65535 (default) – Not configured. User's choice. +- 0 – Disabled. Force off auto-update. +- 1 – Enabled. Force on auto-update. + +

After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md new file mode 100644 index 0000000000..0cb1012fa9 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -0,0 +1,144 @@ +--- +title: Policy CSP - Messaging +description: Policy CSP - Messaging +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Messaging + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Messaging policies + + +**Messaging/AllowMMS** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcheck mark2check mark2
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +

Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement. + +

The following list shows the supported values: + +- 0 - Disabled. +- 1 (default) - Enabled. + + + + +**Messaging/AllowMessageSync** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck mark1check mark1
+ + + +

Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. + +

The following list shows the supported values: + +- 0 - message sync is not allowed and cannot be changed by the user. +- 1 - message sync is allowed. The user can change this setting. + + + + +**Messaging/AllowRCS** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcheck mark2check mark2
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +

Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement. + +

The following list shows the supported values: + +- 0 - Disabled. +- 1 (default) - Enabled. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md new file mode 100644 index 0000000000..8c7f783b3c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -0,0 +1,297 @@ +--- +title: Policy CSP - NetworkIsolation +description: Policy CSP - NetworkIsolation +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - NetworkIsolation + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## NetworkIsolation policies + + +**NetworkIsolation/EnterpriseCloudResources** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**. + + + + +**NetworkIsolation/EnterpriseIPRange** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example: + +``` syntax +10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255, +192.168.0.0-192.168.255.255,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff, +2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff, +2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, +fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +``` + + + + +**NetworkIsolation/EnterpriseIPRangesAreAuthoritative** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. + + + + +**NetworkIsolation/EnterpriseInternalProxyServers** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies. + + + + +**NetworkIsolation/EnterpriseNetworkDomainNames** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". + +> [!NOTE] +> The client requires domain name to be canonical, otherwise the setting will be rejected by the client. +  + +

Here are the steps to create canonical domain names: + +1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com. +2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. +3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). + + + + +**NetworkIsolation/EnterpriseProxyServers** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". + + + + +**NetworkIsolation/EnterpriseProxyServersAreAuthoritative** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies. + + + + +**NetworkIsolation/NeutralResources** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

List of domain names that can used for work or personal resource. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md new file mode 100644 index 0000000000..1ba72d35a8 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -0,0 +1,77 @@ +--- +title: Policy CSP - Notifications +description: Policy CSP - Notifications +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Notifications + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Notifications policies + + +**Notifications/DisallowNotificationMirroring** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Boolean value that turns off notification mirroring. + +> [!IMPORTANT] +> This node must be accessed using the following paths: +> +> - **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy. +> - **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result. + + +

For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page. + +

No reboot or service restart is required for this policy to take effect. + +

The following list shows the supported values: + +- 0 (default)– enable notification mirroring. +- 1 – disable notification mirroring. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md new file mode 100644 index 0000000000..b0b74a08f2 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-power.md @@ -0,0 +1,421 @@ +--- +title: Policy CSP - Power +description: Policy CSP - Power +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Power + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Power policies + + +**Power/AllowStandbyWhenSleepingPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. + +If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. + +If you disable this policy setting, standby states (S1-S3) are not allowed. + + + +ADMX Info: +- GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)* +- GP name: *AllowStandbyStatesAC_2* +- GP ADMX file name: *power.admx* + + + + +**Power/DisplayOffTimeoutOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display. + +

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. + +

If you disable or do not configure this policy setting, users control this setting. + +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. + + + +ADMX Info: +- GP english name: *Turn off the display (on battery)* +- GP name: *VideoPowerDownTimeOutDC_2* +- GP ADMX file name: *power.admx* + + + + +**Power/DisplayOffTimeoutPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display. + +

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. + +

If you disable or do not configure this policy setting, users control this setting. + +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. + + + +ADMX Info: +- GP english name: *Turn off the display (plugged in)* +- GP name: *VideoPowerDownTimeOutAC_2* +- GP ADMX file name: *power.admx* + + + + +**Power/HibernateTimeoutOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. + +

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. + +

If you disable or do not configure this policy setting, users control this setting. + + +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. + + + +ADMX Info: +- GP english name: *Specify the system hibernate timeout (on battery)* +- GP name: *DCHibernateTimeOut_2* +- GP ADMX file name: *power.admx* + + + + +**Power/HibernateTimeoutPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. + +

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. + +

If you disable or do not configure this policy setting, users control this setting. + +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. + + + +ADMX Info: +- GP english name: *Specify the system hibernate timeout (plugged in)* +- GP name: *ACHibernateTimeOut_2* +- GP ADMX file name: *power.admx* + + + + +**Power/RequirePasswordWhenComputerWakesOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. + +If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. + +If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. + + + +ADMX Info: +- GP english name: *Require a password when a computer wakes (on battery)* +- GP name: *DCPromptForPasswordOnResume_2* +- GP ADMX file name: *power.admx* + + + + +**Power/RequirePasswordWhenComputerWakesPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. + +If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. + +If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. + + + +ADMX Info: +- GP english name: *Require a password when a computer wakes (plugged in)* +- GP name: *ACPromptForPasswordOnResume_2* +- GP ADMX file name: *power.admx* + + + + +**Power/StandbyTimeoutOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. + +

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. + +

If you disable or do not configure this policy setting, users control this setting. + +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. + + + +ADMX Info: +- GP english name: *Specify the system sleep timeout (on battery)* +- GP name: *DCStandbyTimeOut_2* +- GP ADMX file name: *power.admx* + + + + +**Power/StandbyTimeoutPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. + +

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. + +

If you disable or do not configure this policy setting, users control this setting. + +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. + + + +ADMX Info: +- GP english name: *Specify the system sleep timeout (plugged in)* +- GP name: *ACStandbyTimeOut_2* +- GP ADMX file name: *power.admx* + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md new file mode 100644 index 0000000000..ac4e6f725f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -0,0 +1,184 @@ +--- +title: Policy CSP - Printers +description: Policy CSP - Printers +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Printers + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Printers policies + + +**Printers/PointAndPrintRestrictions** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. + +If you enable this policy setting: +-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. +-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. + +If you do not configure this policy setting: +-Windows Vista client computers can point and print to any server. +-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. + +If you disable this policy setting: +-Windows Vista client computers can create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. +-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). + + + +ADMX Info: +- GP english name: *Point and Print Restrictions* +- GP name: *PointAndPrint_Restrictions_Win7* +- GP ADMX file name: *Printing.admx* + + + + +**Printers/PointAndPrintRestrictions_User** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. + +If you enable this policy setting: +-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. +-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. + +If you do not configure this policy setting: +-Windows Vista client computers can point and print to any server. +-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. + +If you disable this policy setting: +-Windows Vista client computers can create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. +-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). + + + +ADMX Info: +- GP english name: *Point and Print Restrictions* +- GP name: *PointAndPrint_Restrictions* +- GP ADMX file name: *Printing.admx* + + + + +**Printers/PublishPrinters** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check mark1check mark1
+ + + +Determines whether the computer's shared printers can be published in Active Directory. + +If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory. + +If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available. + +Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory". + + + +ADMX Info: +- GP english name: *Allow printers to be published* +- GP name: *PublishPrinters* +- GP ADMX file name: *Printing2.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md new file mode 100644 index 0000000000..6436a76202 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -0,0 +1,2556 @@ +--- +title: Policy CSP - Privacy +description: Policy CSP - Privacy +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Privacy + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Privacy policies + + +**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check markcheck mark
+ + + +

Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. + +

The following list shows the supported values: + +- 0 (default)– Not allowed. +- 1 – Allowed. + +

Most restricted value is 0. + + + + +**Privacy/AllowInputPersonalization** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. +  + + + + +**Privacy/DisableAdvertisingId** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Enables or disables the Advertising ID. + +

The following list shows the supported values: + +- 0 – Disabled. +- 1 – Enabled. +- 65535 (default)- Not configured. + +

Most restricted value is 0. + + + + +**Privacy/LetAppsAccessAccountInfo** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + + +**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + + +**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + + +**Privacy/LetAppsAccessCalendar** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + + +**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + + +**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + + +**Privacy/LetAppsAccessCallHistory** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + + +**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + + +**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + + +**Privacy/LetAppsAccessCamera** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessContacts** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessEmail** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access email. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessLocation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access location. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessMessaging** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessMicrophone** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessMotion** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessNotifications** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessPhone** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessRadios** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessTasks** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. + + + + +**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessTrustedDevices** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + + +**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + + +**Privacy/LetAppsGetDiagnosticInfo** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + + +**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + + +**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + + +**Privacy/LetAppsRunInBackground** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. + +

The following list shows the supported values: + +- 0 – User in control (default). +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. +> [!WARNING] +> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. + + + + +**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + + +**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + + +**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + + +**Privacy/LetAppsSyncWithDevices** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + +**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + +**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + +**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Privacy policies supported by Windows Holographic for Business + +- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) +- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) +- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) +- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) +- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) +- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) +- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) + + + +## Privacy policies supported by IoT Core + +- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) +- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) +- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) +- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) +- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) +- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) + + + +## Privacy policies supported by Microsoft Surface Hub + +- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) +- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) +- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) +- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) +- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) +- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) + + diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md new file mode 100644 index 0000000000..bae354870c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -0,0 +1,249 @@ +--- +title: Policy CSP - RemoteAssistance +description: Policy CSP - RemoteAssistance +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - RemoteAssistance + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## RemoteAssistance policies + + +**RemoteAssistance/CustomizeWarningMessages** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting lets you customize warning messages. + +The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer. + +The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer. + +If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice. + +If you disable this policy setting, the user sees the default warning message. + +If you do not configure this policy setting, the user sees the default warning message. + + + +ADMX Info: +- GP english name: *Customize warning messages* +- GP name: *RA_Options* +- GP ADMX file name: *remoteassistance.admx* + + + + +**RemoteAssistance/SessionLogging** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. + +If you enable this policy setting, log files are generated. + +If you disable this policy setting, log files are not generated. + +If you do not configure this setting, application-based settings are used. + + + +ADMX Info: +- GP english name: *Turn on session logging* +- GP name: *RA_Logging* +- GP ADMX file name: *remoteassistance.admx* + + + + +**RemoteAssistance/SolicitedRemoteAssistance** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. + +If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings. + +If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer. + +If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. + +If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." + +The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. + +The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported. + +If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. + + + +ADMX Info: +- GP english name: *Configure Solicited Remote Assistance* +- GP name: *RA_Solicit* +- GP ADMX file name: *remoteassistance.admx* + + + + +**RemoteAssistance/UnsolicitedRemoteAssistance** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. + +If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. + +To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format: + +\ or + +\ + +If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. + +Windows Vista and later + +Enable the Remote Assistance exception for the domain profile. The exception must contain: +Port 135:TCP +%WINDIR%\System32\msra.exe +%WINDIR%\System32\raserver.exe + +Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1) + +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +%WINDIR%\System32\Sessmgr.exe + +For computers running Windows Server 2003 with Service Pack 1 (SP1) + +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +Allow Remote Desktop Exception + + + +ADMX Info: +- GP english name: *Configure Offer Remote Assistance* +- GP name: *RA_Unsolicit* +- GP ADMX file name: *remoteassistance.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md new file mode 100644 index 0000000000..c73c7a4093 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -0,0 +1,314 @@ +--- +title: Policy CSP - RemoteDesktopServices +description: Policy CSP - RemoteDesktopServices +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - RemoteDesktopServices + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## RemoteDesktopServices policies + + +**RemoteDesktopServices/AllowUsersToConnectRemotely** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting allows you to configure remote access to computers by using Remote Desktop Services. + +If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. + +If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections. + +If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed. + +Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. + +You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. + + + +ADMX Info: +- GP english name: *Allow users to connect remotely by using Remote Desktop Services* +- GP name: *TS_DISABLE_CONNECTIONS* +- GP ADMX file name: *terminalserver.admx* + + + + +**RemoteDesktopServices/ClientConnectionEncryptionLevel** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. + +If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: + +* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers. + +* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption. + +* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption. + +If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy. + +Important + +FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. + + + +ADMX Info: +- GP english name: *Set client connection encryption level* +- GP name: *TS_ENCRYPTION_POLICY* +- GP ADMX file name: *terminalserver.admx* + + + + +**RemoteDesktopServices/DoNotAllowDriveRedirection** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). + +By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior. + +If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP. + +If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. + +If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. + + + +ADMX Info: +- GP english name: *Do not allow drive redirection* +- GP name: *TS_CLIENT_DRIVE_M* +- GP ADMX file name: *terminalserver.admx* + + + + +**RemoteDesktopServices/DoNotAllowPasswordSaving** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +Controls whether passwords can be saved on this computer from Remote Desktop Connection. + +If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. + +If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection. + + + +ADMX Info: +- GP english name: *Do not allow passwords to be saved* +- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2* +- GP ADMX file name: *terminalserver.admx* + + + + +**RemoteDesktopServices/PromptForPasswordUponConnection** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. + +You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. + +By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client. + +If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on. + +If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. + +If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. + + + +ADMX Info: +- GP english name: *Always prompt for password upon connection* +- GP name: *TS_PASSWORD* +- GP ADMX file name: *terminalserver.admx* + + + + +**RemoteDesktopServices/RequireSecureRPCCommunication** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. + +You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. + +If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients. + +If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request. + +If the status is set to Not Configured, unsecured communication is allowed. + +Note: The RPC interface is used for administering and configuring Remote Desktop Services. + + + +ADMX Info: +- GP english name: *Require secure RPC communication* +- GP name: *TS_RPC_ENCRYPTION* +- GP ADMX file name: *terminalserver.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md new file mode 100644 index 0000000000..4c0d02a0fb --- /dev/null +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -0,0 +1,225 @@ +--- +title: Policy CSP - RemoteManagement +description: Policy CSP - RemoteManagement +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - RemoteManagement + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## RemoteManagement policies + + +**RemoteManagement/AllowBasicAuthentication_Client** + + + + +ADMX Info: +- GP english name: *Allow Basic authentication* +- GP name: *AllowBasic_2* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/AllowBasicAuthentication_Service** + + + + +ADMX Info: +- GP english name: *Allow Basic authentication* +- GP name: *AllowBasic_1* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/AllowCredSSPAuthenticationClient** + + + + +ADMX Info: +- GP english name: *Allow CredSSP authentication* +- GP name: *AllowCredSSP_1* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/AllowCredSSPAuthenticationService** + + + + +ADMX Info: +- GP english name: *Allow CredSSP authentication* +- GP name: *AllowCredSSP_2* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/AllowRemoteServerManagement** + + + + +ADMX Info: +- GP english name: *Allow remote server management through WinRM* +- GP name: *AllowAutoConfig* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/AllowUnencryptedTraffic_Client** + + + + +ADMX Info: +- GP english name: *Allow unencrypted traffic* +- GP name: *AllowUnencrypted_2* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/AllowUnencryptedTraffic_Service** + + + + +ADMX Info: +- GP english name: *Allow unencrypted traffic* +- GP name: *AllowUnencrypted_1* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/DisallowDigestAuthentication** + + + + +ADMX Info: +- GP english name: *Disallow Digest authentication* +- GP name: *DisallowDigest* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/DisallowNegotiateAuthenticationClient** + + + + +ADMX Info: +- GP english name: *Disallow Negotiate authentication* +- GP name: *DisallowNegotiate_1* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/DisallowNegotiateAuthenticationService** + + + + +ADMX Info: +- GP english name: *Disallow Negotiate authentication* +- GP name: *DisallowNegotiate_2* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/DisallowStoringOfRunAsCredentials** + + + + +ADMX Info: +- GP english name: *Disallow WinRM from storing RunAs credentials* +- GP name: *DisableRunAs* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel** + + + + +ADMX Info: +- GP english name: *Specify channel binding token hardening level* +- GP name: *CBTHardeningLevel_1* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/TrustedHosts** + + + + +ADMX Info: +- GP english name: *Trusted Hosts* +- GP name: *TrustedHosts* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/TurnOnCompatibilityHTTPListener** + + + + +ADMX Info: +- GP english name: *Turn On Compatibility HTTP Listener* +- GP name: *HttpCompatibilityListener* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +**RemoteManagement/TurnOnCompatibilityHTTPSListener** + + + + +ADMX Info: +- GP english name: *Turn On Compatibility HTTPS Listener* +- GP name: *HttpsCompatibilityListener* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md new file mode 100644 index 0000000000..56389b3ae7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -0,0 +1,130 @@ +--- +title: Policy CSP - RemoteProcedureCall +description: Policy CSP - RemoteProcedureCall +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - RemoteProcedureCall + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## RemoteProcedureCall policies + + +**RemoteProcedureCall/RPCEndpointMapperClientAuthentication** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. + +If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. + +If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service. + +If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service. + +Note: This policy will not be applied until the system is rebooted. + + + +ADMX Info: +- GP english name: *Enable RPC Endpoint Mapper Client Authentication* +- GP name: *RpcEnableAuthEpResolution* +- GP ADMX file name: *rpc.admx* + + + + +**RemoteProcedureCall/RestrictUnauthenticatedRPCClients** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. + +This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller. + +If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting. + +If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting. + +If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. + +-- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. + +-- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. + +-- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. + +Note: This policy setting will not be applied until the system is rebooted. + + + +ADMX Info: +- GP english name: *Restrict Unauthenticated RPC clients* +- GP name: *RpcRestrictRemoteClients* +- GP ADMX file name: *rpc.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md new file mode 100644 index 0000000000..08ec87e539 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -0,0 +1,121 @@ +--- +title: Policy CSP - RemoteShell +description: Policy CSP - RemoteShell +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - RemoteShell + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## RemoteShell policies + + +**RemoteShell/AllowRemoteShellAccess** + + + + +ADMX Info: +- GP english name: *Allow Remote Shell Access* +- GP name: *AllowRemoteShellAccess* +- GP ADMX file name: *WindowsRemoteShell.admx* + + + + +**RemoteShell/MaxConcurrentUsers** + + + + +ADMX Info: +- GP english name: *MaxConcurrentUsers* +- GP name: *MaxConcurrentUsers* +- GP ADMX file name: *WindowsRemoteShell.admx* + + + + +**RemoteShell/SpecifyIdleTimeout** + + + + +ADMX Info: +- GP english name: *Specify idle Timeout* +- GP name: *IdleTimeout* +- GP ADMX file name: *WindowsRemoteShell.admx* + + + + +**RemoteShell/SpecifyMaxMemory** + + + + +ADMX Info: +- GP english name: *Specify maximum amount of memory in MB per Shell* +- GP name: *MaxMemoryPerShellMB* +- GP ADMX file name: *WindowsRemoteShell.admx* + + + + +**RemoteShell/SpecifyMaxProcesses** + + + + +ADMX Info: +- GP english name: *Specify maximum number of processes per Shell* +- GP name: *MaxProcessesPerShell* +- GP ADMX file name: *WindowsRemoteShell.admx* + + + + +**RemoteShell/SpecifyMaxRemoteShells** + + + + +ADMX Info: +- GP english name: *Specify maximum number of remote shells per user* +- GP name: *MaxShellsPerUser* +- GP ADMX file name: *WindowsRemoteShell.admx* + + + + +**RemoteShell/SpecifyShellTimeout** + + + + +ADMX Info: +- GP english name: *Specify Shell Timeout* +- GP name: *ShellTimeOut* +- GP ADMX file name: *WindowsRemoteShell.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md new file mode 100644 index 0000000000..73badec791 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-search.md @@ -0,0 +1,392 @@ +--- +title: Policy CSP - Search +description: Policy CSP - Search +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Search + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Search policies + + +**Search/AllowIndexingEncryptedStoresOrItems** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files. + +

When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified. + +

When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Search/AllowSearchToUseLocation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether search can leverage location information. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Search/AllowUsingDiacritics** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allows the use of diacritics. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Search/AlwaysUseAutoLangDetection** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether to always use automatic language detection when indexing content and properties. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Search/DisableBackoff** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled. + +

The following list shows the supported values: + +- 0 (default) – Disable. +- 1 – Enable. + + + + +**Search/DisableRemovableDriveIndexing** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

This policy setting configures whether or not locations on removable drives can be added to libraries. + +

If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed. + +

If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed. + +

The following list shows the supported values: + +- 0 (default) – Disable. +- 1 – Enable. + + + + +**Search/PreventIndexingLowDiskSpaceMB** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1. + +

Enable this policy if computers in your environment have extremely limited hard drive space. + +

When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size. + +

The following list shows the supported values: + +- 0 – Disable. +- 1 (default) – Enable. + + + + +**Search/PreventRemoteQueries** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.. + +

The following list shows the supported values: + +- 0 – Disable. +- 1 (default) – Enable. + + + + +**Search/SafeSearchPermissions** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Specifies what level of safe search (filtering adult content) is required. + +

The following list shows the supported values: + +- 0 – Strict, highest filtering against adult content. +- 1 (default) – Moderate filtering against adult content (valid search results will not be filtered). + +

Most restricted value is 0. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Search policies that can be set using Exchange Active Sync (EAS) + +- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) + + + +## Search policies supported by Windows Holographic for Business + +- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) + + diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md new file mode 100644 index 0000000000..b9da338ad1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-security.md @@ -0,0 +1,426 @@ +--- +title: Policy CSP - Security +description: Policy CSP - Security +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Security + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Security policies + + +**Security/AllowAddProvisioningPackage** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether to allow the runtime configuration agent to install provisioning packages. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy has been deprecated in Windows 10, version 1607 + +
+ +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Security/AllowManualRootCertificateInstallation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Specifies whether the user is allowed to manually install root and intermediate CA certificates. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Security/AllowRemoveProvisioningPackage** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether to allow the runtime configuration agent to remove provisioning packages. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Security/AntiTheftMode** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +  +

Allows or disallow Anti Theft Mode on the device. + +

The following list shows the supported values: + +- 0 – Don't allow Anti Theft Mode. +- 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent). + + + + +**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**. + +

Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined. + +

The following list shows the supported values: + +- 0 (default) – Encryption enabled. +- 1 – Encryption disabled. + + + + +**Security/RequireDeviceEncryption** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**. + +

Allows enterprise to turn on internal storage encryption. + +

The following list shows the supported values: + +- 0 (default) – Encryption is not required. +- 1 – Encryption is required. + +

Most restricted value is 1. + +> [!IMPORTANT] +> If encryption has been enabled, it cannot be turned off by using this policy. + + + + +**Security/RequireProvisioningPackageSignature** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether provisioning packages must have a certificate signed by a device trusted authority. + +

The following list shows the supported values: + +- 0 (default) – Not required. +- 1 – Required. + + + + +**Security/RequireRetrieveHealthCertificateOnBoot** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. + +

The following list shows the supported values: + +- 0 (default) – Not required. +- 1 – Required. + +

Setting this policy to 1 (Required): + +- Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0. +- Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification. + +> [!NOTE] +> We recommend that this policy is set to Required after MDM enrollment. +  + +

Most restricted value is 1. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Security policies that can be set using Exchange Active Sync (EAS) + +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) + + + +## Security policies supported by Windows Holographic for Business + +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) + + + +## Security policies supported by IoT Core + +- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) +- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) +- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) + + + +## Security policies supported by Microsoft Surface Hub + +- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) +- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot) + + diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md new file mode 100644 index 0000000000..aac7fdd2e4 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -0,0 +1,559 @@ +--- +title: Policy CSP - Settings +description: Policy CSP - Settings +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Settings + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Settings policies + + +**Settings/AllowAutoPlay** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows the user to change Auto Play settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +> [!NOTE] +> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected. + + + + +**Settings/AllowDataSense** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allows the user to change Data Sense settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Settings/AllowDateTime** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allows the user to change date and time settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Settings/AllowEditDeviceName** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck mark1check mark1
+ + + +

Allows editing of the device name. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Settings/AllowLanguage** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows the user to change the language settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Settings/AllowPowerSleep** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows the user to change power and sleep settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Settings/AllowRegion** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows the user to change the region settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Settings/AllowSignInOptions** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows the user to change sign-in options. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Settings/AllowVPN** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allows the user to change VPN settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Settings/AllowWorkplace** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows user to change workplace settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Settings/AllowYourAccount** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allows user to change account settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +**Settings/ConfigureTaskbarCalendar** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. + +

The following list shows the supported values: + +- 0 (default) – User will be allowed to configure the setting. +- 1 – Don't show additional calendars. +- 2 - Simplified Chinese (Lunar). +- 3 - Traditional Chinese (Lunar). + + + + +**Settings/PageVisibilityList** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. + +

The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: + +

showonly:about;bluetooth + +

If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list. + +

The format of the PageVisibilityList value is as follows: + +- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. +- There are two variants: one that shows only the given pages and one which hides the given pages. +- The first variant starts with the string "showonly:" and the second with the string "hide:". +- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. +- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:wi-fi" would be just "wi-fi". + +

The default value for this setting is an empty string, which is interpreted as show everything. + +

Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden: + +

showonly:wi-fi;bluetooth + +

Example 2, specifies that the wifi page should not be shown: + +

hide:wifi + +

To validate on Desktop, do the following: + +1. Open System Settings and verfiy that the About page is visible and accessible. +2. Configure the policy with the following string: "hide:about". +3. Open System Settings again and verify that the About page is no longer accessible. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Settings policies supported by Windows Holographic for Business + +- [Settings/AllowDateTime](#settings-allowdatetime) +- [Settings/AllowVPN](#settings-allowvpn) + + diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md new file mode 100644 index 0000000000..968712f98d --- /dev/null +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -0,0 +1,138 @@ +--- +title: Policy CSP - SmartScreen +description: Policy CSP - SmartScreen +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - SmartScreen + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## SmartScreen policies + + +**SmartScreen/EnableAppInstallControl** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store. + +

The following list shows the supported values: + +- 0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. +- 1 – Turns on Application Installation Control, allowing users to only install apps from the Store. + + + + +**SmartScreen/EnableSmartScreenInShell** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows. + +

The following list shows the supported values: + +- 0 – Turns off SmartScreen in Windows. +- 1 – Turns on SmartScreen in Windows. + + + + +**SmartScreen/PreventOverrideForFilesInShell** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files. + +

The following list shows the supported values: + +- 0 – Employees can ignore SmartScreen warnings and run malicious files. +- 1 – Employees cannot ignore SmartScreen warnings and run malicious files. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md new file mode 100644 index 0000000000..b67d1464b7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -0,0 +1,66 @@ +--- +title: Policy CSP - Speech +description: Policy CSP - Speech +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Speech + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Speech policies + + +**Speech/AllowSpeechModelUpdate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark1check mark1check mark1check mark1check mark1check mark1
+ + + +

Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md new file mode 100644 index 0000000000..9c3c33dc73 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-start.md @@ -0,0 +1,1192 @@ +--- +title: Policy CSP - Start +description: Policy CSP - Start +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Start + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Start policies + + +**Start/AllowPinnedFolderDocuments** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu. + +

The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderDownloads** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu. + +

The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderFileExplorer** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu. + +

The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderHomeGroup** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu. + +

The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderMusic** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu. + +

The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderNetwork** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu. + +

The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderPersonalFolder** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu. + +

The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderPictures** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu. + +

The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderSettings** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu. + +

The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderVideos** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu. + +

The following list shows the supported values: + +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/ForceStartSize** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Forces the start screen size. + +

The following list shows the supported values: + +- 0 (default) – Do not force size of Start. +- 1 – Force non-fullscreen size of Start. +- 2 - Force a fullscreen size of Start. + +

If there is policy configuration conflict, the latest configuration request is applied to the device. + + + + +**Start/HideAppList** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list. + +

The following list shows the supported values: + +- 0 (default) – None. +- 1 – Hide all apps list. +- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app. +- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app. + +

To validate on Desktop, do the following: + +- 1 - Enable policy and restart explorer.exe +- 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle is not grayed out. +- 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out. +- 2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out. + + + + +**Start/HideChangeAccountSettings** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the user tile, and verify that "Change account settings" is not available. + + + + +**Start/HideFrequentlyUsedApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable "Show most used apps" in the Settings app. +2. Use some apps to get them into the most used group in Start. +3. Enable policy. +4. Restart explorer.exe +5. Check that "Show most used apps" Settings toggle is grayed out. +6. Check that most used apps do not appear in Start. + + + + +**Start/HideHibernate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Laptop, do the following: + +1. Enable policy. +2. Open Start, click on the Power button, and verify "Hibernate" is not available. + +> [!NOTE] +> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's. + + + + +**Start/HideLock** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the user tile, and verify "Lock" is not available. + + + + +**Start/HidePowerButton** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, and verify the power button is not available. + + + + +**Start/HideRecentJumplists** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jumplists from appearing. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings. +2. Pin Photos to the taskbar, and open some images in the photos app. +3. Right click the pinned photos app and verify that a jumplist of recently opened items pops up. +4. Toggle "Show recently opened items in Jump Lists on Start of the taskbar" in Settings to clear jump lists. +5. Enable policy. +6. Restart explorer.exe +7. Check that Settings toggle is grayed out. +8. Repeat Step 2. +9. Right Click pinned photos app and verify that there is no jumplist of recent items. + + + + +**Start/HideRecentlyAddedApps** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable "Show recently added apps" in the Settings app. +2. Check if there are recently added apps in Start (if not, install some). +3. Enable policy. +4. Restart explorer.exe +5. Check that "Show recently added apps" Settings toggle is grayed out. +6. Check that recently added apps do not appear in Start. + + + + +**Start/HideRestart** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available. + + + + +**Start/HideShutDown** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available. + + + + +**Start/HideSignOut** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the user tile, and verify "Sign out" is not available. + + + + +**Start/HideSleep** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the Power button, and verify that "Sleep" is not available. + + + + +**Start/HideSwitchAccount** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the user tile, and verify that "Switch account" is not available. + + + + +**Start/HideUserTile** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Log off. +3. Log in, and verify that the user tile is gone from Start. + + + + +**Start/ImportEdgeAssets** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files. + +> [!IMPORTANT] +> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy. + +

The value set for this policy is an XML string containing Edge assets. An example XML string is provided in the [Microsoft Edge assets example](#microsoft-edge-assets-example) later in this topic. + +

To validate on Desktop, do the following: + +1. Set policy with an XML for Edge assets. +2. Set StartLayout policy to anything so that it would trigger the Edge assets import. +3. Sign out/in. +4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path. + + + + +**Start/NoPinningToTaskbar** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar. + +

The following list shows the supported values: + +- 0 (default) – False (pinning enabled). +- 1 - True (pinning disabled). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Right click on a program pinned to taskbar. +3. Verify that "Unpin from taskbar" menu does not show. +4. Open Start and right click on one of the app list icons. +5. Verify that More->Pin to taskbar menu does not show. + + + + +**Start/StartLayout** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck markcheck markcross markcross mark
+ + + +> [!IMPORTANT] +> This node is set on a per-user basis and must be accessed using the following paths: +> - **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy. +> - **./User/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy. +> +> +> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis using the following paths: +> - **./Device/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy. +> - **./Device/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy. + + +

Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy + +

This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md new file mode 100644 index 0000000000..7d305a13d9 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -0,0 +1,72 @@ +--- +title: Policy CSP - Storage +description: Policy CSP - Storage +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Storage + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Storage policies + + +**Storage/EnhancedStorageDevices** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck markcheck markcross markcross mark
+ + + +This policy setting configures whether or not Windows will activate an Enhanced Storage device. + +If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. + +If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. + + + +ADMX Info: +- GP english name: *Do not allow Windows to activate Enhanced Storage devices* +- GP name: *TCGSecurityActivationDisabled* +- GP ADMX file name: *enhancedstorage.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md new file mode 100644 index 0000000000..bfc21c114d --- /dev/null +++ b/windows/client-management/mdm/policy-csp-system.md @@ -0,0 +1,614 @@ +--- +title: Policy CSP - System +description: Policy CSP - System +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - System + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## System policies + + +**System/AllowBuildPreview** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +> [!NOTE] +> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. + + +

This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. + +

If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. + +

The following list shows the supported values: + +- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. +- 1 – Allowed. Users can make their devices available for downloading and installing preview software. +- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. + + + + +**System/AllowEmbeddedMode** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether set general purpose device to be in embedded mode. + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + +

Most restricted value is 0. + + + + +**System/AllowExperimentation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +> [!NOTE] +> This policy is not supported in Windows 10, version 1607. + +

This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. + +

The following list shows the supported values: + +- 0 – Disabled. +- 1 (default) – Permits Microsoft to configure device settings only. +- 2 – Allows Microsoft to conduct full experimentations. + +

Most restricted value is 0. + + + + +**System/AllowFontProviders** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. + +

Supported values: + +- false - No traffic to fs.microsoft.com and only locally-installed fonts are available. +- true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. + +

This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). + +

This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content. + +> [!Note] +> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service. + +

To verify if System/AllowFontProviders is set to true: + +- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. + + + + +**System/AllowLocation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether to allow app access to the Location service. + +

The following list shows the supported values: + +- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. +- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. +- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed. + +

Most restricted value is 0. + +

While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. + +

When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. + +

For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. + + + + +**System/AllowStorageCard** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. + +

The following list shows the supported values: + +- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. +- 1 (default) – Allow a storage card. + +

Most restricted value is 0. + + + + +**System/AllowTelemetry** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allow the device to send diagnostic and usage telemetry data, such as Watson. + +

The following tables describe the supported values: + + +++ + + + + + + + + + + + + + + + + +
Windows 8.1 Values

0 – Not allowed.

+

1 – Allowed, except for Secondary Data Requests.

2 (default) – Allowed.

+ + + +++ + + + + + + + + + + + + + + + + + + + +
Windows 10 Values

0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.

+
+Note  This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. +
+

1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.

2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.

3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.

+ + +> [!IMPORTANT] +> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. + + +

Most restricted value is 0. + + + + +**System/AllowUserToResetPhone** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed to reset to factory default settings. + +

Most restricted value is 0. + + + + +**System/BootStartDriverInitialization** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +N/A + + + +ADMX Info: +- GP name: *POL_DriverLoadPolicy_Name* +- GP ADMX file name: *earlylauncham.admx* + + + + +**System/DisableOneDriveFileSync** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: + +* Users cannot access OneDrive from the OneDrive app or file picker. +* Windows Store apps cannot access OneDrive using the WinRT API. +* OneDrive does not appear in the navigation pane in File Explorer. +* OneDrive files are not kept in sync with the cloud. +* Users cannot automatically upload photos and videos from the camera roll folder. + +

If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. + +

The following list shows the supported values: + +- 0 (default) – False (sync enabled). +- 1 – True (sync disabled). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Restart machine. +3. Verify that OneDrive.exe is not running in Task Manager. + + + + +**System/DisableSystemRestore** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +Allows you to disable System Restore. + +This policy setting allows you to turn off System Restore. + +System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. + +If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. + +If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. + +Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. + + + +ADMX Info: +- GP english name: *Turn off System Restore* +- GP name: *SR_DisableSR* +- GP ADMX file name: *systemrestore.admx* + + + + +**System/TelemetryProxy** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. + +

If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## System policies that can be set using Exchange Active Sync (EAS) + +- [System/AllowStorageCard](#system-allowstoragecard) +- [System/TelemetryProxy](#system-telemetryproxy) + + + +## System policies supported by Windows Holographic for Business + +- [System/AllowFontProviders](#system-allowfontproviders) +- [System/AllowLocation](#system-allowlocation) +- [System/AllowTelemetry](#system-allowtelemetry) + + + +## System policies supported by IoT Core + +- [System/AllowEmbeddedMode](#system-allowembeddedmode) +- [System/AllowFontProviders](#system-allowfontproviders) +- [System/AllowStorageCard](#system-allowstoragecard) +- [System/TelemetryProxy](#system-telemetryproxy) + + + +## System policies supported by Microsoft Surface Hub + +- [System/AllowFontProviders](#system-allowfontproviders) +- [System/AllowLocation](#system-allowlocation) +- [System/AllowTelemetry](#system-allowtelemetry) + + diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md new file mode 100644 index 0000000000..3baa9bb071 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -0,0 +1,580 @@ +--- +title: Policy CSP - TextInput +description: Policy CSP - TextInput +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - TextInput + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## TextInput policies + + +**TextInput/AllowIMELogging** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**TextInput/AllowIMENetworkAccess** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**TextInput/AllowInputPanel** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the IT admin to disable the touch/handwriting keyboard on Windows. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**TextInput/AllowJapaneseIMESurrogatePairCharacters** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the Japanese IME surrogate pair characters. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**TextInput/AllowJapaneseIVSCharacters** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows Japanese Ideographic Variation Sequence (IVS) characters. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**TextInput/AllowJapaneseNonPublishingStandardGlyph** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the Japanese non-publishing standard glyph. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**TextInput/AllowJapaneseUserDictionary** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the Japanese user dictionary. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**TextInput/AllowKeyboardTextSuggestions** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + +

Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled. + +

The following list shows the supported values: + +- 0 – Disabled. +- 1 (default) – Enabled. + +

Most restricted value is 0. + +

To validate that text prediction is disabled on Windows 10 for desktop, do the following: + +1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button. +2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app. +3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool. + + + + +**TextInput/AllowKoreanExtendedHanja** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +

This policy has been deprecated. + + + + +**TextInput/AllowLanguageFeaturesUninstall** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the uninstall of language features, such as spell checkers, on a device. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**TextInput/ExcludeJapaneseIMEExceptJIS0208** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the users to restrict character code range of conversion by setting the character filter. + +

The following list shows the supported values: + +- 0 (default) – No characters are filtered. +- 1 – All characters except JIS0208 are filtered. + + + + +**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the users to restrict character code range of conversion by setting the character filter. + +

The following list shows the supported values: + +- 0 (default) – No characters are filtered. +- 1 – All characters except JIS0208 and EUDC are filtered. + + + + +**TextInput/ExcludeJapaneseIMEExceptShiftJIS** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the users to restrict character code range of conversion by setting the character filter. + +

The following list shows the supported values: + +- 0 (default) – No characters are filtered. +- 1 – All characters except ShiftJIS are filtered. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## TextInput policies supported by Microsoft Surface Hub + +- [TextInput/AllowIMELogging](#textinput-allowimelogging) +- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess) +- [TextInput/AllowInputPanel](#textinput-allowinputpanel) +- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters) +- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters) +- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph) +- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary) +- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc) +- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis) + + diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md new file mode 100644 index 0000000000..c3bcd16106 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -0,0 +1,74 @@ +--- +title: Policy CSP - TimeLanguageSettings +description: Policy CSP - TimeLanguageSettings +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - TimeLanguageSettings + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## TimeLanguageSettings policies + + +**TimeLanguageSettings/AllowSet24HourClock** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcheck mark2check mark2
+ + + +

Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting. + +

The following list shows the supported values: + +- 0 – Locale default setting. +- 1 (default) – Set 24 hour clock. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## TimeLanguageSettings policies supported by Microsoft Surface Hub + +- [TimeLanguageSettings/Set24HourClock](#None) +- [TimeLanguageSettings/SetCountry](#None) +- [TimeLanguageSettings/SetLanguage](#None) + + diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md new file mode 100644 index 0000000000..eb5110a19b --- /dev/null +++ b/windows/client-management/mdm/policy-csp-update.md @@ -0,0 +1,1886 @@ +--- +title: Policy CSP - Update +description: Policy CSP - Update +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Update + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Update policies + + +**Update/ActiveHoursEnd** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcheck mark1
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. + +> [!NOTE] +> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. + +

Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. + +

The default is 17 (5 PM). + + + + +**Update/ActiveHoursMaxRange** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. + +

Supported values are 8-18. + +

The default value is 18 (hours). + + + + +**Update/ActiveHoursStart** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcheck mark1
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. + +> [!NOTE] +> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. + +

Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. + +

The default value is 8 (8 AM). + + + + +**Update/AllowAutoUpdate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcheck mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Enables the IT admin to manage automatic update behavior to scan, download, and install updates. + +

Supported operations are Get and Replace. + +

The following list shows the supported values: + +- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. +- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. +- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. +- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. +- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. +- 5 – Turn off automatic updates. + +> [!IMPORTANT] +> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. +  + +

If the policy is not configured, end-users get the default behavior (Auto install and restart). + + + + +**Update/AllowMUUpdateService** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education + + +

Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. + +

The following list shows the supported values: + +- 0 – Not allowed or not configured. +- 1 – Allowed. Accepts updates received through Microsoft Update. + + + + +**Update/AllowNonMicrosoftSignedUpdate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcheck mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. + +

Supported operations are Get and Replace. + +

The following list shows the supported values: + +- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. +- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. + +

This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. + + + + +**Update/AllowUpdateService** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcheck mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. + +

Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store + +

Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working. + +

The following list shows the supported values: + +- 0 – Update service is not allowed. +- 1 (default) – Update service is allowed. + +> [!NOTE] +> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. + + + + +**Update/AutoRestartDeadlinePeriodInDays** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcheck mark2
+ + + +

Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory. + +

Supported values are 2-30 days. + +

The default value is 7 days. + + + + +**Update/AutoRestartNotificationSchedule** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. + +

Supported values are 15, 30, 60, 120, and 240 (minutes). + +

The default value is 15 (minutes). + + + + +**Update/AutoRestartRequiredNotificationDismissal** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. + +

The following list shows the supported values: + +- 1 (default) – Auto Dismissal. +- 2 – User Dismissal. + + + + +**Update/BranchReadinessLevel** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcheck mark1
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. + +

The following list shows the supported values: + +- 16 (default) – User gets all applicable upgrades from Current Branch (CB). +- 32 – User gets upgrades from Current Branch for Business (CBB). + + + + +**Update/DeferFeatureUpdatesPeriodInDays** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. +

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + +

Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. + +

Supported values are 0-365 days. + +> [!IMPORTANT] +> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. + + + + +**Update/DeferQualityUpdatesPeriodInDays** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcheck mark1
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. + +

Supported values are 0-30. + + + + +**Update/DeferUpdatePeriod** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcheck mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. + + +

Allows IT Admins to specify update delays for up to 4 weeks. + +

Supported values are 0-4, which refers to the number of weeks to defer updates. + +

In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following: + +- Update/RequireDeferUpgrade must be set to 1 +- System/AllowTelemetry must be set to 1 or higher + +

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +

If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Update categoryMaximum deferralDeferral incrementUpdate type/notes

OS upgrade

8 months

1 month

Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5

Update

1 month

1 week

+Note +If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. +
+
    +
  • Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
    • +
  • Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
    • +
  • Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
    • +
  • Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
    • +
  • Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
    • +
  • Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
    • +
  • Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
    • +
  • Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
    • +

Other/cannot defer

No deferral

No deferral

Any update category not specifically enumerated above falls into this category.

+

Definition Update - E0789628-CE08-4437-BE74-2495B842F43B

+ + + + +**Update/DeferUpgradePeriod** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. +> +> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. + + +

Allows IT Admins to specify additional upgrade delays for up to 8 months. + +

Supported values are 0-8, which refers to the number of months to defer upgrades. + +

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +

If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + + + + +**Update/DetectionFrequency** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
+ + + +

Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. + + + + +**Update/EngagedRestartDeadline** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). + +

Supported values are 2-30 days. + +

The default value is 0 days (not specified). + + + + +**Update/EngagedRestartSnoozeSchedule** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. + +

Supported values are 1-3 days. + +

The default value is 3 days. + + + + +**Update/EngagedRestartTransitionSchedule** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. + +

Supported values are 2-30 days. + +

The default value is 7 days. + + + + +**Update/ExcludeWUDriversInQualityUpdate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. +> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + +

Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. + +

The following list shows the supported values: + +- 0 (default) – Allow Windows Update drivers. +- 1 – Exclude Windows Update drivers. + + + + +**Update/FillEmptyContentUrls** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2cross markcheck mark2check mark2cross markcross mark
+ + + +

Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). + +> [!NOTE] +> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. + +

The following list shows the supported values: + +- 0 (default) – Disabled. +- 1 – Enabled. + + + + +**Update/IgnoreMOAppDownloadLimit** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
+ + + +

Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + +

The following list shows the supported values: + +- 0 (default) – Do not ignore MO download limit for apps and their updates. +- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. + +

To validate this policy: + +1. Enable the policy ensure the device is on a cellular network. +2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: + - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` + + - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` + +3. Verify that any downloads that are above the download size limit will complete without being paused. + + + + +**Update/IgnoreMOUpdateDownloadLimit** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
+ + + +

Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + +

The following list shows the supported values: + +- 0 (default) – Do not ignore MO download limit for OS updates. +- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. + +

To validate this policy: + +1. Enable the policy and ensure the device is on a cellular network. +2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: + - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` + +3. Verify that any downloads that are above the download size limit will complete without being paused. + + + + +**Update/PauseDeferrals** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcheck mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. + + +

Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. + +

The following list shows the supported values: + +- 0 (default) – Deferrals are not paused. +- 1 – Deferrals are paused. + +

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +

If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + + + + +**Update/PauseFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. +

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + + +

Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. + +

The following list shows the supported values: + +- 0 (default) – Feature Updates are not paused. +- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. + + + + +**Update/PauseFeatureUpdatesStartTime** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcheck mark2
+ + + +

Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. + +

Value type is string. Supported operations are Add, Get, Delete, and Replace. + + + + +**Update/PauseQualityUpdates** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcheck mark1
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + +

Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. + +

The following list shows the supported values: + +- 0 (default) – Quality Updates are not paused. +- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. + + + + +**Update/PauseQualityUpdatesStartTime** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcheck mark2
+ + + +

Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. + +

Value type is string. Supported operations are Add, Get, Delete, and Replace. + + + + +**Update/RequireDeferUpgrade** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcheck mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. + + +

Allows the IT admin to set a device to CBB train. + +

The following list shows the supported values: + +- 0 (default) – User gets upgrades from Current Branch. +- 1 – User gets upgrades from Current Branch for Business. + + + + +**Update/RequireUpdateApproval** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcheck mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + +
+ +> [!NOTE] +> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. + + +

Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. + +

Supported operations are Get and Replace. + +

The following list shows the supported values: + +- 0 – Not configured. The device installs all applicable updates. +- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. + + + + +**Update/ScheduleImminentRestartWarning** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. + +

Supported values are 15, 30, or 60 (minutes). + +

The default value is 15 (minutes). + + + + +**Update/ScheduleRestartWarning** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. + +

Supported values are 2, 4, 8, 12, or 24 (hours). + +

The default value is 4 (hours). + + + + +**Update/ScheduledInstallDay** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcheck mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Enables the IT admin to schedule the day of the update installation. + +

The data type is a integer. + +

Supported operations are Add, Delete, Get, and Replace. + +

The following list shows the supported values: + +- 0 (default) – Every day +- 1 – Sunday +- 2 – Monday +- 3 – Tuesday +- 4 – Wednesday +- 5 – Thursday +- 6 – Friday +- 7 – Saturday + + + + +**Update/ScheduledInstallEveryWeek** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
+ + + +

Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values: +

    +
  • 0 - no update in the schedule
    • +
  • 1 - update is scheduled every week
    • +
+ + + + +**Update/ScheduledInstallFirstWeek** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
+ + + +

Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values: +

    +
  • 0 - no update in the schedule
    • +
  • 1 - update is scheduled every first week of the month
    • +
+ + + + +**Update/ScheduledInstallFourthWeek** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
+ + + +

Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values: +

    +
  • 0 - no update in the schedule
    • +
  • 1 - update is scheduled every fourth week of the month
    • +
+ + + + +**Update/ScheduledInstallSecondWeek** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
+ + + +

Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values: +

    +
  • 0 - no update in the schedule
    • +
  • 1 - update is scheduled every second week of the month
    • +
+ + + + +**Update/ScheduledInstallThirdWeek** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
+ + + +

Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values: +

    +
  • 0 - no update in the schedule
    • +
  • 1 - update is scheduled every third week of the month
    • +
+ + + + +**Update/ScheduledInstallTime** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcheck mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Enables the IT admin to schedule the time of the update installation. + +

The data type is a integer. + +

Supported operations are Add, Delete, Get, and Replace. + +

Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. + +

The default value is 3. + + + + +**Update/SetAutoRestartNotificationDisable** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcheck mark2
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. + +

The following list shows the supported values: + +- 0 (default) – Enabled +- 1 – Disabled + + + + +**Update/SetEDURestart** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
+ + + +

Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. + +

The following list shows the supported values: + +- 0 - not configured +- 1 - configured + + + + +**Update/UpdateServiceUrl** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcheck mark
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + +> [!Important] +> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile. + +

Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet. + +

Supported operations are Get and Replace. + +

The following list shows the supported values: + +- Not configured. The device checks for updates from Microsoft Update. +- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. + +Example + +``` syntax + + $CmdID$ + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl + + http://abcd-srv:8530 + + +``` + + + + +**Update/UpdateServiceUrlAlternate** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. + +

Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. + +

This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. + +

To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. + +

Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. + +> [!Note] +> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. +> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. +> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Update policies supported by Windows Holographic for Business + +- [Update/AllowAutoUpdate](#update-allowautoupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) +- [Update/RequireUpdateApproval](#update-requireupdateapproval) +- [Update/UpdateServiceUrl](#update-updateserviceurl) + + + +## Update policies supported by IoT Core + +- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/PauseDeferrals](#update-pausedeferrals) +- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) +- [Update/RequireUpdateApproval](#update-requireupdateapproval) +- [Update/ScheduledInstallDay](#update-scheduledinstallday) +- [Update/ScheduledInstallTime](#update-scheduledinstalltime) +- [Update/UpdateServiceUrl](#update-updateserviceurl) + + + +## Update policies supported by Microsoft Surface Hub + +- [Update/AllowAutoUpdate](#update-allowautoupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule) +- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal) +- [Update/BranchReadinessLevel](#update-branchreadinesslevel) +- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays) +- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays) +- [Update/DetectionFrequency](#update-detectionfrequency) +- [Update/PauseFeatureUpdates](#update-pausefeatureupdates) +- [Update/PauseQualityUpdates](#update-pausequalityupdates) +- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning) +- [Update/ScheduleRestartWarning](#update-schedulerestartwarning) +- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable) +- [Update/UpdateServiceUrl](#update-updateserviceurl) +- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate) + + diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md new file mode 100644 index 0000000000..61525f5b57 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -0,0 +1,309 @@ +--- +title: Policy CSP - Wifi +description: Policy CSP - Wifi +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - Wifi + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## Wifi policies + + +**WiFi/AllowWiFiHotSpotReporting** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +

This policy has been deprecated. + + + + +**Wifi/AllowAutoConnectToWiFiSenseHotspots** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allow or disallow the device to automatically connect to Wi-Fi hotspots. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + +**Wifi/AllowInternetSharing** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allow or disallow internet sharing. + +

The following list shows the supported values: + +- 0 – Do not allow the use of Internet Sharing. +- 1 (default) – Allow the use of Internet Sharing. + +

Most restricted value is 0. + + + + +**Wifi/AllowManualWiFiConfiguration** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check markcheck mark
+ + + +

Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. + +

The following list shows the supported values: + +- 0 – No Wi-Fi connection outside of MDM provisioned network is allowed. +- 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed. + +

Most restricted value is 0. + +> [!NOTE] +> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted. + + + + +**Wifi/AllowWiFi** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1check markcheck mark
+ + + +

Allow or disallow WiFi connection. + +

The following list shows the supported values: + +- 0 – WiFi connection is not allowed. +- 1 (default) – WiFi connection is allowed. + +

Most restricted value is 0. + + + + +**Wifi/AllowWiFiDirect** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. Allow WiFi Direct connection.. + +- 0 - WiFi Direct connection is not allowed. +- 1 - WiFi Direct connection is allowed. + + + + +**Wifi/WLANScanMode** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + +

Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. + +

Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency. + +

The default value is 0. + +

Supported operations are Add, Delete, Get, and Replace. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + + +## Wifi policies that can be set using Exchange Active Sync (EAS) + +- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +- [Wifi/AllowWiFi](#wifi-allowwifi) + + + +## Wifi policies supported by IoT Core + +- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) +- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +- [Wifi/AllowWiFi](#wifi-allowwifi) +- [Wifi/WLANScanMode](#wifi-wlanscanmode) + + + +## Wifi policies supported by Microsoft Surface Hub + +- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting) + + diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md new file mode 100644 index 0000000000..edce18a72e --- /dev/null +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -0,0 +1,103 @@ +--- +title: Policy CSP - WindowsInkWorkspace +description: Policy CSP - WindowsInkWorkspace +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - WindowsInkWorkspace + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## WindowsInkWorkspace policies + + +**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +

Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace. + +

Value type is bool. The following list shows the supported values: + +- 0 - app suggestions are not allowed. +- 1 (default) -allow app suggestions. + + + + +**WindowsInkWorkspace/AllowWindowsInkWorkspace** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +

Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace. + +

Value type is int. The following list shows the supported values: + +- 0 - access to ink workspace is disabled. The feature is turned off. +- 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. +- 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md new file mode 100644 index 0000000000..29b2de31e3 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -0,0 +1,155 @@ +--- +title: Policy CSP - WindowsLogon +description: Policy CSP - WindowsLogon +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - WindowsLogon + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## WindowsLogon policies + + +**WindowsLogon/DisableLockScreenAppNotifications** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +This policy setting allows you to prevent app notifications from appearing on the lock screen. + +If you enable this policy setting, no app notifications are displayed on the lock screen. + +If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. + + + +ADMX Info: +- GP english name: *Turn off app notifications on the lock screen* +- GP name: *DisableLockScreenAppNotifications* +- GP ADMX file name: *logon.admx* + + + + +**WindowsLogon/DontDisplayNetworkSelectionUI** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. + +If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. + +If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. + + + +ADMX Info: +- GP english name: *Do not display network selection UI* +- GP name: *DontDisplayNetworkSelectionUI* +- GP ADMX file name: *logon.admx* + + + + +**WindowsLogon/HideFastUserSwitching** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2cross markcross mark
+ + + +

Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. + +

Value type is bool. The following list shows the supported values: + +- 0 (default) - Diabled (visible). +- 1 - Enabled (hidden). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Verify that the Switch account button in Start is hidden. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md new file mode 100644 index 0000000000..ab4b3cb9d6 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -0,0 +1,239 @@ +--- +title: Policy CSP - WirelessDisplay +description: Policy CSP - WirelessDisplay +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - WirelessDisplay + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ +## WirelessDisplay policies + + +**WirelessDisplay/AllowProjectionFromPC** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC. + +- 0 - your PC cannot discover or project to other devices. +- 1 - your PC can discover and project to other devices + + + + +**WirelessDisplay/AllowProjectionFromPCOverInfrastructure** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure. + +- 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct. +- 1 - your PC can discover and project to other devices over infrastructure. + + + + +**WirelessDisplay/AllowProjectionToPC** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +

Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC. + +

If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. + +

Value type is integer. Valid value: + +- 0 - projection to PC is not allowed. Always off and the user cannot enable it. +- 1 (default) - projection to PC is allowed. Enabled only above the lock screen. + + + + +**WirelessDisplay/AllowProjectionToPCOverInfrastructure** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure. + +- 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct. +- 1 - your PC is discoverable and other devices can project to it over infrastructure. + + + + +**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +

Added in Windows 10, version 1703. + + + + +**WirelessDisplay/RequirePinForPairing** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + +

Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing. + +

If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. + +

Value type is integer. Valid value: + +- 0 (default) - PIN is not required. +- 1 - PIN is required. + + + +

+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + +