Root node for the Firewall configuration service provider.
+ +**MdmStore** +Interior node.
+Supported operation is Get.
+ +**MdmStore/Global** +Interior node.
+Supported operations are Get and Replace.
+ +**MdmStore/Global/PolicyVersionSupported** +DWORD value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
+Value type in integer. Supported operation is Get.
+ +**MdmStore/Global/CurrentProfiles** +DWORD value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
+Value type in integer. Supported operation is Get.
+ +**MdmStore/Global/DisableStatefulFtp** +This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.
+Boolean value. Supported operations are Get and Replace.
+ +**MdmStore/Global/SaIdleTime** +This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.<
+Value type is integer. Supported operations are Get and Replace.
+ +**MdmStore/Global/TPresharedKeyEncodingBD** +Specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Value type is integer. Supported operations are Get and Replace.
+ +**MdmStore/Global/IPsecExempt** +This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Value type is integer. Supported operations are Get and Replace.
+ +**MdmStore/Global/CRLcheck** +This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Value type is integer. Supported operations are Get and Replace.
+ +**MdmStore/Global/PolicyVersion** +This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
+Value type is string. Supported operation is Get.
+ +**MdmStore/Global/BinaryVersionSupported** +This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
+Value type is string. Supported operation is Get.
+ +**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** +This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+Boolean value. Supported operations are Get and Replace.
+ +**MdmStore/Global/EnablePacketQueue** +This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.
+Value type is integer. Supported operations are Get and Replace.
+ +**MdmStore/DomainProfile** +Interior node. Supported operation is Get.
+ +**MdmStore/PrivateProfile** +Interior node. Supported operation is Get.
+ +**MdmStore/PublicProfile** +Interior node. Supported operation is Get.
+ +**/EnableFirewall** +This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Value type is integer. Supported operations are Get and Replace.
+ +**/DisableStealthMode** +This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Value type is integer. Supported operations are Get and Replace.
+ +**/Shielded** +This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
+Value type is integer. Supported operations are Get and Replace.
+ +**/DisableUnicastResponsesToMulticastBroadcast** +This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Value type is integer. Supported operations are Get and Replace.
+ +**/DisableInboundNotifications** +This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Value type is integer. Supported operations are Get and Replace.
+ +**/AuthAppsAllowUserPrefMerge** +This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Value type is integer. Supported operations are Get and Replace.
+ +**/GlobalPortsAllowUserPrefMerge** +This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Value type is integer. Supported operations are Get and Replace.
+ +**/AllowLocalPolicyMerge** +This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+Value type is integer. Supported operations are Get and Replace.
+ +**/AllowLocalIpsecPolicyMerge** +This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+Value type is integer. Supported operations are Get and Replace.
+ +**/DefaultOutboundAction** +This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Value type is integer. Supported operations are Get and Replace.
+ +**/DefaultInboundAction** +This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+Value type is integer. Supported operations are Get and Replace.
+ +**/DisableStealthModeIpsecSecuredPacketExemption** +This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+Value type is integer. Supported operations are Get and Replace.
+ +**FirewallRules** +A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+ +**FirewallRules/_FirewallRuleName_** +Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
+ +**FirewallRules/_FirewallRuleName_/App** +Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
+-
+
- PackageFamilyName +
- FilePath +
- FQBN +
- ServiceName +
Supported operation is Get.
+ +**FirewallRules/_FirewallRuleName_/App/PackageFamilyName** +This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/App/FilePath** +This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/App/Fqbn** +Fully Qualified Binary Name
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/App/ServiceName** +This is a service name used in cases when a service, not an application, is sending or receiving traffic.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/Protocol** +0-255 number representing the ip protocol (TCP = 6, UDP = 17)
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/LocalPortRanges** +Comma separated list of ranges. For example, 100-120,200,300-320.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/RemotePortRanges** +Comma separated list of ranges, For example, 100-120,200,300-320.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/LocalAddressRanges** +Comma separated list of local addresses covered by the rule. The default value is "\*". Valid tokens include:
+-
+
- "\*" indicates any local address. If present, this must be the only token included. +
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +
- A valid IPv6 address. +
- An IPv4 address range in the format of "start address - end address" with no spaces included. +
- An IPv6 address range in the format of "start address - end address" with no spaces included. +
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/RemoteAddressRanges** +List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "\*". Valid tokens include:
+-
+
- "\*" indicates any remote address. If present, this must be the only token included. +
- "Defaultgateway" +
- "DHCP" +
- "DNS" +
- "WINS" +
- "Intranet" +
- "RemoteCorpNetwork" +
- "Internet" +
- "PlayToRenderers" +
- "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive. +
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +
- A valid IPv6 address. +
- An IPv4 address range in the format of "start address - end address" with no spaces included. +
- An IPv6 address range in the format of "start address - end address" with no spaces included. +
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/Description** +Specifies the description of the rule.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/Enabled** +Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +If not specified - a new rule is disabled by default.
+Boolean value. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/Action** +Specifies the action for the rule.
+Supported operation is Get.
+ +**FirewallRules/_FirewallRuleName_/Action/Type** +Specifies the action the rule enforces. Supported values:
+-
+
- 0 - Block +
- 1 - Allow +
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes** +List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList** +Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/FriendlyName** +Specifies the friendly name of the rule. The string must not contain the "|" character.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/_FirewallRuleName_/Name** +Name of the rule.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/images/provisioning-csp-firewall.png b/windows/client-management/mdm/images/provisioning-csp-firewall.png new file mode 100644 index 0000000000..a2cb0ecde8 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-firewall.png differ diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 01c9aace26..f0f271a8e3 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1216,7 +1216,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardwareAdded following deep link parameters to the table:
-
@@ -1228,6 +1228,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
- Ownership
Added new CSP in the next major update to Windows 10.
+Updated the following topics to indicate MDM support in Windows 10 S.
diff --git a/windows/client-management/mdm/policy-admx-backed.md b/windows/client-management/mdm/policy-admx-backed.md deleted file mode 100644 index 643af44e7a..0000000000 --- a/windows/client-management/mdm/policy-admx-backed.md +++ /dev/null @@ -1,4032 +0,0 @@ ---- -title: Policy CSP - ADMX-backed policies -description: Policy CSP - ADMX-backed policies -ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: nickbrower ---- - -# Policy CSP - ADMX-backed policies - -The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. This reference topic targets only policies which are backed by ADMX. To understand the difference between traditional MDM and ADMX-backed policies please see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). - -## Table of ADMX-backed policies for Windows 10, version 1703. - -> [!IMPORTANT] -> To navigate the table horizontally, click on the table and then use the left and right scroll keys on your keyboard or use the scroll bar at the bottom of the table. - - -| MDM CSP setting path/name | -GP english name | -GP english category path | -GP name | -GP ADMX file name | -
|---|---|---|---|---|
| ActiveXControls/ApprovedInstallationSites | -Approved Installation Sites for ActiveX Controls | -Windows Components/ActiveX Installer Service | -ApprovedActiveXInstallSites | -ActiveXInstallService.admx | -
| AppVirtualization/AllowAppVClient | -Enable App-V Client | -System/App-V | -EnableAppV | -appv.admx | -
| AppVirtualization/AllowDynamicVirtualization | -Enable Dynamic Virtualization | -System/App-V/Virtualization | -Virtualization_JITVEnable | -appv.admx | -
| AppVirtualization/AllowPackageCleanup | -Enable automatic cleanup of unused appv packages | -System/App-V/Package Management | -PackageManagement_AutoCleanupEnable | -appv.admx | -
| AppVirtualization/AllowPackageScripts | -Enable Package Scripts | -System/App-V/Scripting | -Scripting_Enable_Package_Scripts | -appv.admx | -
| AppVirtualization/AllowPublishingRefreshUX | -Enable Publishing Refresh UX | -System/App-V/Publishing | -Enable_Publishing_Refresh_UX | -appv.admx | -
| AppVirtualization/AllowReportingServer | -Reporting Server | -System/App-V/Reporting | -Reporting_Server_Policy | -appv.admx | -
| AppVirtualization/AllowRoamingFileExclusions | -Roaming File Exclusions | -System/App-V/Integration | -Integration_Roaming_File_Exclusions | -appv.admx | -
| AppVirtualization/AllowRoamingRegistryExclusions | -Roaming Registry Exclusions | -System/App-V/Integration | -Integration_Roaming_Registry_Exclusions | -appv.admx | -
| AppVirtualization/AllowStreamingAutoload | -Specify what to load in background (aka AutoLoad) | -System/App-V/Streaming | -Steaming_Autoload | -appv.admx | -
| AppVirtualization/ClientCoexistenceAllowMigrationmode | -Enable Migration Mode | -System/App-V/Client Coexistence | -Client_Coexistence_Enable_Migration_mode | -appv.admx | -
| AppVirtualization/IntegrationAllowRootGlobal | -Integration Root User | -System/App-V/Integration | -Integration_Root_User | -appv.admx | -
| AppVirtualization/IntegrationAllowRootUser | -Integration Root Global | -System/App-V/Integration | -Integration_Root_Global | -appv.admx | -
| AppVirtualization/PublishingAllowServer1 | -Publishing Server 1 Settings | -System/App-V/Publishing | -Publishing_Server1_Policy | -appv.admx | -
| AppVirtualization/PublishingAllowServer2 | -Publishing Server 2 Settings | -System/App-V/Publishing | -Publishing_Server2_Policy | -appv.admx | -
| AppVirtualization/PublishingAllowServer3 | -Publishing Server 3 Settings | -System/App-V/Publishing | -Publishing_Server3_Policy | -appv.admx | -
| AppVirtualization/PublishingAllowServer4 | -Publishing Server 4 Settings | -System/App-V/Publishing | -Publishing_Server4_Policy | -appv.admx | -
| AppVirtualization/PublishingAllowServer5 | -Publishing Server 5 Settings | -System/App-V/Publishing | -Publishing_Server5_Policy | -appv.admx | -
| AppVirtualization/StreamingAllowCertificateFilterForClient_SSL | -Certificate Filter For Client SSL | -System/App-V/Streaming | -Streaming_Certificate_Filter_For_Client_SSL | -appv.admx | -
| AppVirtualization/StreamingAllowHighCostLaunch | -Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection | -System/App-V/Streaming | -Streaming_Allow_High_Cost_Launch | -appv.admx | -
| AppVirtualization/StreamingAllowLocationProvider | -Location Provider | -System/App-V/Streaming | -Streaming_Location_Provider | -appv.admx | -
| AppVirtualization/StreamingAllowPackageInstallationRoot | -Package Installation Root | -System/App-V/Streaming | -Streaming_Package_Installation_Root | -appv.admx | -
| AppVirtualization/StreamingAllowPackageSourceRoot | -Package Source Root | -System/App-V/Streaming | -Streaming_Package_Source_Root | -appv.admx | -
| AppVirtualization/StreamingAllowReestablishmentInterval | -Reestablishment Interval | -System/App-V/Streaming | -Streaming_Reestablishment_Interval | -appv.admx | -
| AppVirtualization/StreamingAllowReestablishmentRetries | -Reestablishment Retries | -System/App-V/Streaming | -Streaming_Reestablishment_Retries | -appv.admx | -
| AppVirtualization/StreamingSharedContentStoreMode | -Shared Content Store (SCS) mode | -System/App-V/Streaming | -Streaming_Shared_Content_Store_Mode | -appv.admx | -
| AppVirtualization/StreamingSupportBranchCache | -Enable Support for BranchCache | -System/App-V/Streaming | -Streaming_Support_Branch_Cache | -appv.admx | -
| AppVirtualization/StreamingVerifyCertificateRevocationList | -Verify certificate revocation list | -System/App-V/Streaming | -Streaming_Verify_Certificate_Revocation_List | -appv.admx | -
| AppVirtualization/VirtualComponentsAllowList | -Virtual Component Process Allow List | -System/App-V/Virtualization | -Virtualization_JITVAllowList | -appv.admx | -
| AttachmentManager/DoNotPreserveZoneInformation | -Do not preserve zone information in file attachments | -Windows Components/Attachment Manager | -AM_MarkZoneOnSavedAtttachments | -AttachmentManager.admx | -
| AttachmentManager/HideZoneInfoMechanism | -Hide mechanisms to remove zone information | -Windows Components/Attachment Manager | -AM_RemoveZoneInfo | -AttachmentManager.admx | -
| AttachmentManager/NotifyAntivirusPrograms | -Notify antivirus programs when opening attachments | -Windows Components/Attachment Manager | -AM_CallIOfficeAntiVirus | -AttachmentManager.admx | -
| Autoplay/DisallowAutoplayForNonVolumeDevices | -Disallow Autoplay for non-volume devices | -Windows Components/AutoPlay Policies | -NoAutoplayfornonVolume | -AutoPlay.admx | -
| Autoplay/SetDefaultAutoRunBehavior | -Set the default behavior for AutoRun | -Windows Components/AutoPlay Policies | -NoAutorun | -AutoPlay.admx | -
| Autoplay/TurnOffAutoPlay | -Turn off Autoplay | -Windows Components/AutoPlay Policies | -Autorun | -AutoPlay.admx | -
| Connectivity/HardenedUNCPaths | -Hardened UNC Paths | -Network/Network Provider | -Pol_HardenedPaths | -networkprovider.admx | -
| CredentialProviders/AllowPINLogon | -Turn on convenience PIN sign-in | -System/Logon | -AllowDomainPINLogon | -credentialproviders.admx | -
| CredentialProviders/BlockPicturePassword | -Turn off picture password sign-in | -System/Logon | -BlockDomainPicturePassword | -credentialproviders.admx | -
| CredentialsUI/DisablePasswordReveal | -Do not display the password reveal button | -Windows Components/Credential User Interface | -DisablePasswordReveal | -credui.admx | -
| CredentialsUI/EnumerateAdministrators | -Enumerate administrator accounts on elevation | -Windows Components/Credential User Interface | -EnumerateAdministrators | -credui.admx | -
| DataUsage/SetCost3G | -Set 3G Cost | -Network/WWAN Service/WWAN Media Cost | -SetCost3G | -wwansvc.admx | -
| DataUsage/SetCost4G | -Set 4G Cost | -Network/WWAN Service/WWAN Media Cost | -SetCost4G | -wwansvc.admx | -
| Desktop/PreventUserRedirectionOfProfileFolders | -- | - | - | desktop.admx | -
| DeviceInstallation/PreventInstallationOfMatchingDeviceIDs | -Prevent installation of devices that match any of these device IDs | -System/Device Installation/Device Installation Restrictions | -DeviceInstall_IDs_Deny | -deviceinstallation.admx | -
| DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses | -Prevent installation of devices using drivers that match these device setup classes | -System/Device Installation/Device Installation Restrictions | -DeviceInstall_Classes_Deny | -deviceinstallation.admx | -
| DeviceLock/PreventLockScreenSlideShow | -- | - | - | ControlPanelDisplay.admx | -
| ErrorReporting/CustomizeConsentSettings | -Customize consent settings | -Windows Components/Windows Error Reporting/Consent | -WerConsentCustomize_2 | -ErrorReporting.admx | -
| ErrorReporting/DisableWindowsErrorReporting | -Disable Windows Error Reporting | -Windows Components/Windows Error Reporting | -WerDisable_2 | -ErrorReporting.admx | -
| ErrorReporting/DisplayErrorNotification | -Display Error Notification | -Windows Components/Windows Error Reporting | -PCH_ShowUI | -ErrorReporting.admx | -
| ErrorReporting/DoNotSendAdditionalData | -Do not send additional data | -Windows Components/Windows Error Reporting | -WerNoSecondLevelData_2 | -ErrorReporting.admx | -
| ErrorReporting/PreventCriticalErrorDisplay | -Prevent display of the user interface for critical errors | -Windows Components/Windows Error Reporting | -WerDoNotShowUI | -ErrorReporting.admx | -
| EventLogService/ControlEventLogBehavior | -Control Event Log behavior when the log file reaches its maximum size | -Windows Components/Event Log Service/Application | -Channel_Log_Retention_1 | -eventlog.admx | -
| EventLogService/SpecifyMaximumFileSizeApplicationLog | -Specify the maximum log file size (KB) | -Windows Components/Event Log Service/Application | -Channel_LogMaxSize_1 | -eventlog.admx | -
| EventLogService/SpecifyMaximumFileSizeSecurityLog | -Specify the maximum log file size (KB) | -Windows Components/Event Log Service/Security | -Channel_LogMaxSize_2 | -eventlog.admx | -
| EventLogService/SpecifyMaximumFileSizeSystemLog | -Specify the maximum log file size (KB) | -Windows Components/Event Log Service/System | -Channel_LogMaxSize_4 | -eventlog.admx | -
| InternetExplorer/AddSearchProvider | -Add a specific list of search providers to the user's list of search providers | -Windows Components/Internet Explorer | -AddSearchProvider | -inetres.admx | -
| InternetExplorer/AllowActiveXFiltering | -Turn on ActiveX Filtering | -Windows Components/Internet Explorer | -TurnOnActiveXFiltering | -inetres.admx | -
| InternetExplorer/AllowAddOnList | -Add-on List | -Windows Components/Internet Explorer/Security Features/Add-on Management | -AddonManagement_AddOnList | -inetres.admx | -
| InternetExplorer/AllowEnhancedProtectedMode | -Turn on Enhanced Protected Mode | -Windows Components/Internet Explorer/Internet Control Panel/Advanced Page | -Advanced_EnableEnhancedProtectedMode | -inetres.admx | -
| InternetExplorer/AllowEnterpriseModeFromToolsMenu | -Let users turn on and use Enterprise Mode from the Tools menu | -Windows Components/Internet Explorer | -EnterpriseModeEnable | -inetres.admx | -
| InternetExplorer/AllowEnterpriseModeSiteList | -Use the Enterprise Mode IE website list | -Windows Components/Internet Explorer | -EnterpriseModeSiteList | -inetres.admx | -
| InternetExplorer/AllowInternetExplorer7PolicyList | -Use Policy List of Internet Explorer 7 sites | -CompatView_UsePolicyList | -inetres.admx | -|
| InternetExplorer/AllowInternetExplorerStandardsMode | -Turn on Internet Explorer Standards Mode for local intranet | -Windows Components/Internet Explorer/Compatibility View | -CompatView_IntranetSites | -inetres.admx | -
| InternetExplorer/AllowInternetZoneTemplate | -Internet Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyInternetZoneTemplate | -inetres.admx | -
| InternetExplorer/AllowIntranetZoneTemplate | -Intranet Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyIntranetZoneTemplate | -inetres.admx | -
| InternetExplorer/AllowLocalMachineZoneTemplate | -Local Machine Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyLocalMachineZoneTemplate | -inetres.admx | -
| InternetExplorer/AllowLockedDownInternetZoneTemplate | -Locked-Down Internet Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyInternetZoneLockdownTemplate | -inetres.admx | -
| InternetExplorer/AllowLockedDownIntranetZoneTemplate | -Locked-Down Intranet Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyIntranetZoneLockdownTemplate | -inetres.admx | -
| InternetExplorer/AllowLockedDownLocalMachineZoneTemplate | -Locked-Down Local Machine Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyLocalMachineZoneLockdownTemplate | -inetres.admx | -
| InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate | -Locked-Down Restricted Sites Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyRestrictedSitesZoneLockdownTemplate | -inetres.admx | -
| InternetExplorer/AllowOneWordEntry | -Go to an intranet site for a one-word entry in the Address bar | -Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing | -UseIntranetSiteForOneWordEntry | -inetres.admx | -
| InternetExplorer/AllowSiteToZoneAssignmentList | -Site to Zone Assignment List | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_Zonemaps | -inetres.admx | -
| InternetExplorer/AllowSuggestedSites | -Turn on Suggested Sites | -Windows Components/Internet Explorer | -EnableSuggestedSites | -inetres.admx | -
| InternetExplorer/AllowTrustedSitesZoneTemplate | -Trusted Sites Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyTrustedSitesZoneTemplate | -inetres.admx | -
| InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate | -Locked-Down Trusted Sites Zone Template | -IZ_PolicyTrustedSitesZoneLockdownTemplate | -inetres.admx | -|
| InternetExplorer/AllowsRestrictedSitesZoneTemplate | -Restricted Sites Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyRestrictedSitesZoneTemplate | -inetres.admx | -
| InternetExplorer/DisableAdobeFlash | -Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects | -Windows Components/Internet Explorer/Security Features/Add-on Management | -DisableFlashInIE | -inetres.admx | -
| InternetExplorer/DisableBypassOfSmartScreenWarnings | -- | - | - | inetres.admx | -
| InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles | -- | - | - | inetres.admx | -
| InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation | -Prevent participation in the Customer Experience Improvement Program | -Windows Components/Internet Explorer | -SQM_DisableCEIP | -inetres.admx | -
| InternetExplorer/DisableEnclosureDownloading | -Prevent downloading of enclosures | -Windows Components/RSS Feeds | -Disable_Downloading_of_Enclosures | -inetres.admx | -
| InternetExplorer/DisableEncryptionSupport | -Turn off encryption support | -Windows Components/Internet Explorer/Internet Control Panel/Advanced Page | -Advanced_SetWinInetProtocols | -inetres.admx | -
| InternetExplorer/DisableFirstRunWizard | -Prevent running First Run wizard | -Windows Components/Internet Explorer | -NoFirstRunCustomise | -inetres.admx | -
| InternetExplorer/DisableFlipAheadFeature | -Turn off the flip ahead with page prediction feature | -Windows Components/Internet Explorer/Internet Control Panel/Advanced Page | -Advanced_DisableFlipAhead | -inetres.admx | -
| InternetExplorer/DisableHomePageChange | -Disable changing home page settings | -Windows Components/Internet Explorer | -RestrictHomePage | -inetres.admx | -
| InternetExplorer/DisableProxyChange | -- | - | - | inetres.admx | -
| InternetExplorer/DisableSearchProviderChange | -Prevent changing the default search provider | -Windows Components/Internet Explorer | -NoSearchProvider | -inetres.admx | -
| InternetExplorer/DisableSecondaryHomePageChange | -Disable changing secondary home page settings | -Windows Components/Internet Explorer | -SecondaryHomePages | -inetres.admx | -
| InternetExplorer/DisableUpdateCheck | -- | - | - | inetres.admx | -
| InternetExplorer/DoNotAllowUsersToAddSites | -- | - | - | inetres.admx | -
| InternetExplorer/DoNotAllowUsersToChangePolicies | -- | - | - | inetres.admx | -
| InternetExplorer/DoNotBlockOutdatedActiveXControls | -Turn off blocking of outdated ActiveX controls for Internet Explorer | -Windows Components/Internet Explorer/Security Features/Add-on Management | -VerMgmtDisable | -inetres.admx | -
| InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains | -Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains | -Windows Components/Internet Explorer/Security Features/Add-on Management | -VerMgmtDomainAllowlist | -inetres.admx | -
| InternetExplorer/IncludeAllLocalSites | -Intranet Sites: Include all local (intranet) sites not listed in other zones | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_IncludeUnspecifiedLocalSites | -inetres.admx | -
| InternetExplorer/IncludeAllNetworkPaths | -Intranet Sites: Include all network paths (UNCs) | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_UNCAsIntranet | -inetres.admx | -
| InternetExplorer/InternetZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyNotificationBarActiveXURLaction_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyNotificationBarDownloadURLaction_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyFontDownload_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyZoneElevationURLaction_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_Policy_AllowScriptlets_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_Policy_Phishing_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyUserdataPersistence_1 | -inetres.admx | -
| InternetExplorer/InternetZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_1 | -inetres.admx | -
| InternetExplorer/InternetZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyNavigateSubframesAcrossDomains_1 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyNotificationBarActiveXURLaction_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyNotificationBarDownloadURLaction_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyFontDownload_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyZoneElevationURLaction_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_Policy_AllowScriptlets_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_Policy_Phishing_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyUserdataPersistence_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyNavigateSubframesAcrossDomains_3 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyNotificationBarActiveXURLaction_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyNotificationBarDownloadURLaction_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyFontDownload_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyZoneElevationURLaction_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_Policy_AllowScriptlets_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_Policy_Phishing_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyUserdataPersistence_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyNavigateSubframesAcrossDomains_9 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyNotificationBarActiveXURLaction_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyNotificationBarDownloadURLaction_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyFontDownload_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyZoneElevationURLaction_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_Policy_AllowScriptlets_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_Policy_Phishing_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyUserdataPersistence_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyNavigateSubframesAcrossDomains_2 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyNotificationBarActiveXURLaction_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyNotificationBarDownloadURLaction_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyFontDownload_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyZoneElevationURLaction_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_Policy_AllowScriptlets_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_Policy_Phishing_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyUserdataPersistence_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyNavigateSubframesAcrossDomains_4 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyNotificationBarActiveXURLaction_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyNotificationBarDownloadURLaction_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyFontDownload_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyZoneElevationURLaction_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_Policy_AllowScriptlets_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_Policy_Phishing_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyUserdataPersistence_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyNavigateSubframesAcrossDomains_10 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyNotificationBarActiveXURLaction_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyNotificationBarDownloadURLaction_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyFontDownload_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyZoneElevationURLaction_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_Policy_AllowScriptlets_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_Policy_Phishing_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyUserdataPersistence_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyNavigateSubframesAcrossDomains_8 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyNotificationBarActiveXURLaction_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyNotificationBarDownloadURLaction_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyFontDownload_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyZoneElevationURLaction_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_Policy_AllowScriptlets_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_Policy_Phishing_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyUserdataPersistence_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyNavigateSubframesAcrossDomains_6 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyNotificationBarActiveXURLaction_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyNotificationBarDownloadURLaction_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyFontDownload_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyZoneElevationURLaction_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_Policy_AllowScriptlets_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_Policy_Phishing_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyUserdataPersistence_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyNavigateSubframesAcrossDomains_7 | -inetres.admx | -
| InternetExplorer/SearchProviderList | -Restrict search providers to a specific list | -Windows Components/Internet Explorer | -SpecificSearchProvider | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyNotificationBarActiveXURLaction_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyNotificationBarDownloadURLaction_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyFontDownload_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyZoneElevationURLaction_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_Policy_AllowScriptlets_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_Policy_Phishing_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyUserdataPersistence_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyNavigateSubframesAcrossDomains_5 | -inetres.admx | -
| Kerberos/AllowForestSearchOrder | -- | ForestSearch | -Kerberos.admx | -|
| Kerberos/KerberosClientSupportsClaimsCompoundArmor | -Kerberos client support for claims, compound authentication and Kerberos armoring | -System/Kerberos | -EnableCbacAndArmor | -Kerberos.admx | -
| Kerberos/RequireKerberosArmoring | -Fail authentication requests when Kerberos armoring is not available | -System/Kerberos | -ClientRequireFast | -Kerberos.admx | -
| Kerberos/RequireStrictKDCValidation | -Require strict KDC validation | -System/Kerberos | -ValidateKDC | -Kerberos.admx | -
| Kerberos/SetMaximumContextTokenSize | -Set maximum Kerberos SSPI context token buffer size | -System/Kerberos | -MaxTokenSize | -Kerberos.admx | -
| Power/AllowStandbyWhenSleepingPluggedIn | -Allow standby states (S1-S3) when sleeping (plugged in) | -System/Power Management/Sleep Settings | -AllowStandbyStatesAC_2 | -power.admx | -
| Power/RequirePasswordWhenComputerWakesOnBattery | -Require a password when a computer wakes (on battery) | -System/Power Management/Sleep Settings | -DCPromptForPasswordOnResume_2 | -power.admx | -
| Power/RequirePasswordWhenComputerWakesPluggedIn | -Require a password when a computer wakes (plugged in) | -System/Power Management/Sleep Settings | -ACPromptForPasswordOnResume_2 | -power.admx | -
| Printers/PointAndPrintRestrictions | -Point and Print Restrictions | -Printers | -PointAndPrint_Restrictions_Win7 | -Printing.admx | -
| Printers/PointAndPrintRestrictions_User | -Point and Print Restrictions | -PointAndPrint_Restrictions | -Printing.admx | -|
| Printers/PublishPrinters | -Allow printers to be published | -Printers | -PublishPrinters | -Printing2.admx | -
| RemoteAssistance/CustomizeWarningMessages | -Customize warning messages | -System/Remote Assistance | -RA_Options | -remoteassistance.admx | -
| RemoteAssistance/SessionLogging | -Turn on session logging | -System/Remote Assistance | -RA_Logging | -remoteassistance.admx | -
| RemoteAssistance/SolicitedRemoteAssistance | -Configure Solicited Remote Assistance | -System/Remote Assistance | -RA_Solicit | -remoteassistance.admx | -
| RemoteAssistance/UnsolicitedRemoteAssistance | -Configure Offer Remote Assistance | -RA_Unsolicit | -remoteassistance.admx | -|
| RemoteDesktopServices/AllowUsersToConnectRemotely | -Allow users to connect remotely by using Remote Desktop Services | -Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections | -TS_DISABLE_CONNECTIONS | -terminalserver.admx | -
| RemoteDesktopServices/ClientConnectionEncryptionLevel | -Set client connection encryption level | -Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security | -TS_ENCRYPTION_POLICY | -terminalserver.admx | -
| RemoteDesktopServices/DoNotAllowDriveRedirection | -Do not allow drive redirection | -Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection | -TS_CLIENT_DRIVE_M | -terminalserver.admx | -
| RemoteDesktopServices/DoNotAllowPasswordSaving | -Do not allow passwords to be saved | -Windows Components/Remote Desktop Services/Remote Desktop Connection Client | -TS_CLIENT_DISABLE_PASSWORD_SAVING_2 | -terminalserver.admx | -
| RemoteDesktopServices/PromptForPasswordUponConnection | -Always prompt for password upon connection | -Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security | -TS_PASSWORD | -terminalserver.admx | -
| RemoteDesktopServices/RequireSecureRPCCommunication | -Require secure RPC communication | -Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security | -TS_RPC_ENCRYPTION | -terminalserver.admx | -
| RemoteProcedureCall/RPCEndpointMapperClientAuthentication | -Enable RPC Endpoint Mapper Client Authentication | -System/Remote Procedure Call | -RpcEnableAuthEpResolution | -rpc.admx | -
| RemoteProcedureCall/RestrictUnauthenticatedRPCClients | -Restrict Unauthenticated RPC clients | -System/Remote Procedure Call | -RpcRestrictRemoteClients | -rpc.admx | -
| Storage/EnhancedStorageDevices | -Do not allow Windows to activate Enhanced Storage devices | -System/Enhanced Storage Access | -TCGSecurityActivationDisabled | -enhancedstorage.admx | -
| System/BootStartDriverInitialization | -Boot-Start Driver Initialization Policy | -System/Early Launch Antimalware | -POL_DriverLoadPolicy_Name | -earlylauncham.admx | -
| System/DisableSystemRestore | -Turn off System Restore | -System/System Restore | -SR_DisableSR | -systemrestore.admx | -
| WindowsLogon/DisableLockScreenAppNotifications | -Turn off app notifications on the lock screen | -System/Logon | -DisableLockScreenAppNotifications | -logon.admx | -
| WindowsLogon/DontDisplayNetworkSelectionUI | -Do not display network selection UI | -System/Logon | -DontDisplayNetworkSelectionUI | -logon.admx | -
This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
- -If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. - -If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.
- -Note: Wild card characters cannot be used when specifying the host URLs. -
- -**AppVirtualization/AllowAppVClient** - -This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
- -**AppVirtualization/AllowDynamicVirtualization** - -Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.
- -**AppVirtualization/AllowPackageCleanup** - -N/A
- -**AppVirtualization/AllowPackageScripts** - -Enables scripts defined in the package manifest of configuration files that should run.
- -**AppVirtualization/AllowPublishingRefreshUX** - -Enables a UX to display to the user when a publishing refresh is performed on the client.
- -**AppVirtualization/AllowReportingServer** - -Reporting Server URL: Displays the URL of reporting server.
- -Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM. - - Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load. - - Repeat reporting for every (days): The periodical interval in days for sending the reporting data. - - Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again.
- -Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. -
- -**AppVirtualization/AllowRoamingFileExclusions** - -Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
- -**AppVirtualization/AllowRoamingRegistryExclusions** - -Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
- -**AppVirtualization/AllowStreamingAutoload** - -Specifies how new packages should be loaded automatically by App-V on a specific computer.
- -**AppVirtualization/ClientCoexistenceAllowMigrationmode** - -Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
- -**AppVirtualization/IntegrationAllowRootGlobal** - -Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
- -**AppVirtualization/IntegrationAllowRootUser** - -Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
- -**AppVirtualization/PublishingAllowServer1** - -Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -
- -**AppVirtualization/PublishingAllowServer2** - -Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -
- -**AppVirtualization/PublishingAllowServer3** - -Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -
- -**AppVirtualization/PublishingAllowServer4** - -Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -
- -**AppVirtualization/PublishingAllowServer5** - -Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -
- -**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** - -Specifies the path to a valid certificate in the certificate store.
- -**AppVirtualization/StreamingAllowHighCostLaunch** - -This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
- -**AppVirtualization/StreamingAllowLocationProvider** - -Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
- -**AppVirtualization/StreamingAllowPackageInstallationRoot** - -Specifies directory where all new applications and updates will be installed.
- -**AppVirtualization/StreamingAllowPackageSourceRoot** - -Overrides source location for downloading package content.
- -**AppVirtualization/StreamingAllowReestablishmentInterval** - -Specifies the number of seconds between attempts to reestablish a dropped session.
- -**AppVirtualization/StreamingAllowReestablishmentRetries** - -Specifies the number of times to retry a dropped session.
- -**AppVirtualization/StreamingSharedContentStoreMode** - -Specifies that streamed package contents will be not be saved to the local hard disk.
- -**AppVirtualization/StreamingSupportBranchCache** - -If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
- -**AppVirtualization/StreamingVerifyCertificateRevocationList** - -Verifies Server certificate revocation status before streaming using HTTPS.
- -**AppVirtualization/VirtualComponentsAllowList** - -Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.
- -**AttachmentManager/DoNotPreserveZoneInformation** - -This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
- -If you enable this policy setting, Windows does not mark file attachments with their zone information.
- -If you disable this policy setting, Windows marks file attachments with their zone information.
- -If you do not configure this policy setting, Windows marks file attachments with their zone information.
- -**AttachmentManager/HideZoneInfoMechanism** - -This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.
- -If you enable this policy setting, Windows hides the check box and Unblock button.
- -If you disable this policy setting, Windows shows the check box and Unblock button.
- -If you do not configure this policy setting, Windows hides the check box and Unblock button.
- -**AttachmentManager/NotifyAntivirusPrograms** - -This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
- -If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
- -If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
- -If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
- -**Autoplay/DisallowAutoplayForNonVolumeDevices** - -This policy setting disallows AutoPlay for MTP devices like cameras or phones.
- -If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.
- -If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
- -**Autoplay/SetDefaultAutoRunBehavior** - -This policy setting sets the default behavior for Autorun commands.
- -Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.
- -Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention.
- -This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.
- -If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to:
- -a) Completely disable autorun commands, or - b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command.
- -If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
- -**Autoplay/TurnOffAutoPlay** - -This policy setting allows you to turn off the Autoplay feature.
- -Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.
- -Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.
- -Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices.
- -If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.
- -This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.
- -If you disable or do not configure this policy setting, AutoPlay is enabled.
- -Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
- -**Connectivity/HardenedUNCPaths** - -This policy setting configures secure access to UNC paths.
- -If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. -
- -**CredentialProviders/AllowPINLogon** - -This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Windows Hello PIN, which has stronger security properties. To configure Windows Hello for Business, use the policies under Computer configuration\Administrative Templates\Windows Components\Windows Hello for Business.
- -If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
- -If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.
- -Note that the user's domain password will be cached in the system vault when using this feature.
- -**CredentialProviders/BlockPicturePassword** - -This policy setting allows you to control whether a domain user can sign in using a picture password.
- -If you enable this policy setting, a domain user can't set up or sign in with a picture password.
- -If you disable or don't configure this policy setting, a domain user can set up and use a picture password.
- -Note that the user's domain password will be cached in the system vault when using this feature.
- -**CredentialsUI/DisablePasswordReveal** - -This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
- -If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
- -If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.
- -By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.
- -The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
- -**CredentialsUI/EnumerateAdministrators** - -This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.
- -If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
- -If you disable this policy setting, users will always be required to type a user name and password to elevate.
- -**DataUsage/SetCost3G** - -This policy setting configures the cost of 3G connections on the local machine.
- -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:
- -- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
- -- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
- -- Variable: This connection is costed on a per byte basis.
- -If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. -
- -**DataUsage/SetCost4G** - -This policy setting configures the cost of 4G connections on the local machine.
- -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:
- -- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
- -- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
- -- Variable: This connection is costed on a per byte basis.
- -If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. -
- -**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** - -This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
- -If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
- -If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
- -**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** - -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. - -If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
- -If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
- -**ErrorReporting/CustomizeConsentSettings** - -This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
- -If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
- -- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.
- -- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.
- -- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.
- -- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.
- -- 4 (Send all data): Any data requested by Microsoft is sent automatically.
- -If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
- -**ErrorReporting/DisableWindowsErrorReporting** - -This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
- -If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
- -If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
- -**ErrorReporting/DisplayErrorNotification** - -This policy setting controls whether users are shown an error dialog box that lets them report an error.
- -If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.
- -If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.
- -If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.
- -See also the Configure Error Reporting policy setting.
- -**ErrorReporting/DoNotSendAdditionalData** - -This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
- -If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
- -If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
- -**ErrorReporting/PreventCriticalErrorDisplay** - -This policy setting prevents the display of the user interface for critical errors.
- -If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.
- -If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
- -**EventLogService/ControlEventLogBehavior** - -This policy setting controls Event Log behavior when the log file reaches its maximum size.
- -If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
- -If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
- -Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
- -**EventLogService/SpecifyMaximumFileSizeApplicationLog** - -This policy setting specifies the maximum size of the log file in kilobytes.
- -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
- -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
- -**EventLogService/SpecifyMaximumFileSizeSecurityLog** - -This policy setting specifies the maximum size of the log file in kilobytes.
- -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
- -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
- -**EventLogService/SpecifyMaximumFileSizeSystemLog** - -This policy setting specifies the maximum size of the log file in kilobytes.
- -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
- -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
- -**InternetExplorer/AddSearchProvider** - -This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.
- -If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
- -If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.
- -**InternetExplorer/AllowActiveXFiltering** - -This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.
- -If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.
- -If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
- -**InternetExplorer/AllowAddOnList** - -This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.
- -This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.
- -If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:
- -Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
- -Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.
- -If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.
- -**InternetExplorer/AllowEnhancedProtectedMode** - -Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
- -If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.
- -If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.
- -If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
- -**InternetExplorer/AllowEnterpriseModeFromToolsMenu** - -This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.
- -If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.
- -If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.
- -**InternetExplorer/AllowEnterpriseModeSiteList** - -This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.
- -If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.
- -If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.
- -**InternetExplorer/AllowInternetExplorer7PolicyList ** - -This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.
- -If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.
- -If you disable or do not configure this policy setting, the user can add and remove sites from the list.
- -**InternetExplorer/AllowInternetExplorerStandardsMode** - -This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.
- -If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.
- -If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.
- -If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.
- -**InternetExplorer/AllowInternetZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowIntranetZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowLocalMachineZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowLockedDownInternetZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowLockedDownIntranetZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowOneWordEntry** - -This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.
- -If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.
- -If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.
- -**InternetExplorer/AllowSiteToZoneAssignmentList** - -This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.
- -Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
- -If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
- -Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
- -Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
- -If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
- -**InternetExplorer/AllowSuggestedSites** - -This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.
- -If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.
- -If you disable this policy setting, the entry points and functionality associated with this feature are turned off.
- -If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
- -**InternetExplorer/AllowTrustedSitesZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowsRestrictedSitesZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/DisableAdobeFlash** - -This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.
- -If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.
- -If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.
- -Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
- -**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation** - -This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).
- -If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
- -If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
- -If you do not configure this policy setting, the user can choose to participate in the CEIP.
- -**InternetExplorer/DisableEnclosureDownloading** - -This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.
- -If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.
- -If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
- -**InternetExplorer/DisableEncryptionSupport** - -This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.
- -If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.
- -If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.
- -Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
- -**InternetExplorer/DisableFirstRunWizard** - -This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
- -If you enable this policy setting, you must make one of the following choices: - Skip the First Run wizard, and go directly to the user's home page. - Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.
- -Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.
- -If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.
- -**InternetExplorer/DisableFlipAheadFeature** - -This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
- -Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.
- -If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.
- -If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
- -If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
- -**InternetExplorer/DisableHomePageChange** - -The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.
- -If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.
- -If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
- -**InternetExplorer/DisableSearchProviderChange** - -This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.
- -If you enable this policy setting, the user cannot change the default search provider.
- -If you disable or do not configure this policy setting, the user can change the default search provider.
- -**InternetExplorer/DisableSecondaryHomePageChange** - -Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.
- -If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.
- -If you disable or do not configure this policy setting, the user can add secondary home pages.
- -Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
- -**InternetExplorer/DoNotBlockOutdatedActiveXControls** - -This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
- -If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.
- -If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.
- -For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
- -**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains** - -This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
- -If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
- -1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" -2. "hostname". For example, if you want to include http://example, use "example" -3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"
- -If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.
- -For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
- -**InternetExplorer/IncludeAllLocalSites** - -This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.
- -If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.
- -If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).
- -If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.
- -**InternetExplorer/IncludeAllNetworkPaths** - -This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.
- -If you enable this policy setting, all network paths are mapped into the Intranet Zone.
- -If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).
- -If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
- -**InternetExplorer/InternetZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/InternetZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/InternetZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
- -**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
- -**InternetExplorer/InternetZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/InternetZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/InternetZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/InternetZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/IntranetZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
- -**InternetExplorer/IntranetZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/IntranetZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
- -**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
- -**InternetExplorer/IntranetZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/IntranetZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/IntranetZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/IntranetZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/LocalMachineZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
- -**InternetExplorer/LocalMachineZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/LocalMachineZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/LocalMachineZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/LocalMachineZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
- -**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/LockedDownInternetZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/LockedDownInternetZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/LockedDownIntranetZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
- -If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/RestrictedSitesZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
- -**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/RestrictedSitesZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
- -If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
- -**InternetExplorer/SearchProviderList** - -This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.
- -If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
- -If you disable or do not configure this policy setting, the user can configure his or her list of search providers.
- -**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
- -**InternetExplorer/TrustedSitesZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.
- -**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
- -**InternetExplorer/TrustedSitesZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
- -**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**Kerberos/AllowForestSearchOrder** - -This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
- -If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
- -If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
- -**Kerberos/KerberosClientSupportsClaimsCompoundArmor** - -This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. -If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
- -If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. -
- -**Kerberos/RequireKerberosArmoring** - -This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
- -Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
- -If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
- -Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
- -If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. -
- -**Kerberos/RequireStrictKDCValidation** - -This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
- -If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
- -If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. -
- -**Kerberos/SetMaximumContextTokenSize** - -This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. - -The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
- -If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
- -If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
- -Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
- - - -**Power/AllowStandbyWhenSleepingPluggedIn** - -This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
- -If you enable this policy setting, Windows uses standby states to put the computer in a sleep state.
- -If you disable or do not configure this policy setting, the only sleep state a computer may enter is hibernate.
- -**Power/RequirePasswordWhenComputerWakesOnBattery** - -This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
- -If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
- -If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
- -**Power/RequirePasswordWhenComputerWakesPluggedIn** - -This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
- -If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
- -If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
- -**Printers/PointAndPrintRestrictions** - -This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
- -If you enable this policy setting: - -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. - -You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
- -If you do not configure this policy setting: - -Windows Vista client computers can point and print to any server. - -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
- -If you disable this policy setting: - -Windows Vista client computers can create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. - -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
- -**Printers/PointAndPrintRestrictions_User** - -This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
- -If you enable this policy setting: - -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. - -You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
- -If you do not configure this policy setting: - -Windows Vista client computers can point and print to any server. - -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
- -If you disable this policy setting: - -Windows Vista client computers can create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. - -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
- -**Printers/PublishPrinters** - -Determines whether the computer's shared printers can be published in Active Directory.
- -If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.
- -If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available.
- -Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
- -**RemoteAssistance/CustomizeWarningMessages** - -This policy setting lets you customize warning messages.
- -The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.
- -The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer.
- -If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.
- -If you disable this policy setting, the user sees the default warning message.
- -If you do not configure this policy setting, the user sees the default warning message.
- -**RemoteAssistance/SessionLogging** - -This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.
- -If you enable this policy setting, log files are generated.
- -If you disable this policy setting, log files are not generated.
- -If you do not configure this setting, application-based settings are used.
- -**RemoteAssistance/SolicitedRemoteAssistance** - -This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
- -If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.
- -If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.
- -If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.
- -If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."
- -The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.
- -The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.
- -If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
- -**RemoteAssistance/UnsolicitedRemoteAssistance** - -This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
- -If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
- -If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
- -If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
- -If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.
- -To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:
- -If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.
- -Windows Vista and later
- -Enable the Remote Assistance exception for the domain profile. The exception must contain: -Port 135:TCP -%WINDIR%\System32\msra.exe -%WINDIR%\System32\raserver.exe
- -Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)
- -Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -%WINDIR%\System32\Sessmgr.exe
- -For computers running Windows Server 2003 with Service Pack 1 (SP1)
- -Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -Allow Remote Desktop Exception
- -**RemoteDesktopServices/AllowUsersToConnectRemotely** - -This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
- -If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.
- -If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.
- -If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
- -Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
- -You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. -
- -**RemoteDesktopServices/ClientConnectionEncryptionLevel** - -Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.
- -If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
- -* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.
- -* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.
- -* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.
- -If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy.
- -Important
- -FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. -
- -**RemoteDesktopServices/DoNotAllowDriveRedirection** - -This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
- -By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format
If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.
- -If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.
- -If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. -
- -**RemoteDesktopServices/DoNotAllowPasswordSaving** - -Controls whether passwords can be saved on this computer from Remote Desktop Connection.
- -If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
- -If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
- -**RemoteDesktopServices/PromptForPasswordUponConnection** - -This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
- -You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
- -By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.
- -If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.
- -If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.
- -If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. -
- -**RemoteDesktopServices/RequireSecureRPCCommunication** - -Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
- -You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
- -If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.
- -If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.
- -If the status is set to Not Configured, unsecured communication is allowed.
- -Note: The RPC interface is used for administering and configuring Remote Desktop Services.
- -**RemoteProcedureCall/RPCEndpointMapperClientAuthentication** - -This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
- -If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
- -If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
- -If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
- -Note: This policy will not be applied until the system is rebooted.
- -**RemoteProcedureCall/RestrictUnauthenticatedRPCClients** - -This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
- -This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.
- -If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
- -If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
- -If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.
- --- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.
- --- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.
- --- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.
- -Note: This policy setting will not be applied until the system is rebooted.
- -**Storage/EnhancedStorageDevices** - -This policy setting configures whether or not Windows will activate an Enhanced Storage device.
- -If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.
- -If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
- -**System/BootStartDriverInitialization** - -N/A
- -**System/DisableSystemRestore** - -Allows you to disable System Restore.
- -This policy setting allows you to turn off System Restore.
- -System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.
- -If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.
- -If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.
- -Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
- -**WindowsLogon/DisableLockScreenAppNotifications** - -This policy setting allows you to prevent app notifications from appearing on the lock screen.
- -If you enable this policy setting, no app notifications are displayed on the lock screen.
- -If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
- -**WindowsLogon/DontDisplayNetworkSelectionUI** - -This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
- -If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
- -If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
- - - - - - - diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 6a2a63b9e5..de4d589baf 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -118,6 +118,29 @@ The following diagram shows the Policy configuration service provider in tree fo **AboveLock/AllowActionCenterNotifications** + +| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
 |
+ |
+ + | |
+ |
+  |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. @@ -163,22 +197,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **AboveLock/AllowToasts** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether to allow toast notifications above the device lock screen. @@ -193,22 +238,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Accounts/AllowAddingNonMicrosoftAccountsManually** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether user is allowed to add non-MSA email accounts. @@ -226,22 +282,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Accounts/AllowMicrosoftAccountConnection** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. @@ -256,22 +323,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Accounts/AllowMicrosoftAccountSignInAssistant** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. @@ -284,23 +362,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Accounts/DomainNamesForEmailSync** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies a list of the domains that are allowed to sync email on the device. @@ -312,18 +400,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ActiveXControls/ApprovedInstallationSites** @@ -963,6 +1039,29 @@ ADMX Info: **ApplicationDefaults/DefaultAssociationsConfiguration** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. @@ -1024,23 +1123,33 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowAllTrustedApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether non Windows Store apps are allowed. @@ -1056,22 +1165,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowAppStoreAutoUpdate** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether automatic update of apps from Windows Store are allowed. @@ -1086,22 +1206,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowDeveloperUnlock** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether developer unlock is allowed. @@ -1117,22 +1248,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowGameDVR** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether multiple users of the same app can share data. @@ -1180,22 +1333,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowStore** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether app store is allowed at the device. @@ -1210,22 +1374,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/ApplicationRestrictions** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | 1 |
+ 1 |
+ |
+ |
+
Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded. @@ -1283,22 +1469,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/RequirePrivateStoreOnly** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows disabling of the retail catalog and only enables the Private store. @@ -1322,22 +1519,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/RestrictAppDataToSystemVolume** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether application data is restricted to the system drive. @@ -1352,22 +1560,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/RestrictAppToSystemVolume** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether the installation of applications is restricted to the system drive. @@ -1382,18 +1601,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **AttachmentManager/DoNotPreserveZoneInformation** @@ -1470,6 +1677,29 @@ ADMX Info: **Authentication/AllowEAPCertSSO** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows EAP Fast Reconnect from being attempted for EAP Method TLS. @@ -1523,22 +1764,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Authentication/AllowSecondaryAuthenticationDevice** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows. @@ -1553,18 +1805,6 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Autoplay/DisallowAutoplayForNonVolumeDevices** @@ -1654,6 +1894,29 @@ ADMX Info: **Bitlocker/EncryptionMethod** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies the BitLocker Drive Encryption method and cipher strength. @@ -1668,22 +1931,33 @@ ADMX Info: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/AllowAdvertising** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether the device can send out Bluetooth advertisements. @@ -1700,22 +1974,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/AllowDiscoverableMode** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether other Bluetooth-enabled devices can discover the device. @@ -1732,22 +2017,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/AllowPrepairing** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. @@ -1760,22 +2056,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/LocalDeviceName** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Sets the local Bluetooth device name. @@ -1787,22 +2094,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/ServicesAllowedList** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. @@ -1812,18 +2130,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowAddressBarDropdown** @@ -1849,6 +2155,29 @@ SKU Support: **Browser/AllowAutofill** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether autofill on websites is allowed. @@ -1870,22 +2199,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowBrowser** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether cookies are allowed. @@ -1943,21 +2294,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes - - **Browser/AllowDeveloperTools** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether Do Not Track headers are allowed. @@ -2013,22 +2387,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowExtensions** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed. @@ -2041,22 +2426,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowFlash** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge. @@ -2069,22 +2465,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowFlashClickToRun** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ + | 2 |
+ 2 |
+ |
+ |
+
Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. @@ -2097,22 +2504,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowInPrivate** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether InPrivate browsing is allowed on corporate networks. @@ -2127,18 +2545,6 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowMicrosoftCompatibilityList** @@ -2164,6 +2570,29 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis **Browser/AllowPasswordManager** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether saving and managing passwords locally on the device is allowed. @@ -2185,22 +2614,33 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowPopups** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether pop-up blocker is allowed or enabled. @@ -2222,18 +2662,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowSearchEngineCustomization** @@ -2258,6 +2686,29 @@ SKU Support: **Browser/AllowSearchSuggestionsinAddressBar** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether search suggestions are allowed in the address bar. @@ -2272,22 +2723,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowSmartScreen** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether Windows Defender SmartScreen is allowed. @@ -2309,18 +2771,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/ClearBrowsingDataOnExit** @@ -2399,6 +2849,29 @@ Employees cannot remove these search engines, but they can set any one as the de **Browser/EnterpriseModeSiteList** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features. @@ -2532,18 +3049,6 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/PreventFirstRunPage** @@ -2584,6 +3089,29 @@ SKU Support: **Browser/PreventSmartScreenPromptOverride** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. @@ -2598,22 +3126,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/PreventSmartScreenPromptOverrideForFiles** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process. @@ -2626,22 +3165,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/PreventUsingLocalHostIPAddressForWebRTC** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. @@ -2792,23 +3375,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Camera/AllowCamera** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Disables or enables the camera. @@ -2823,22 +3416,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Connectivity/AllowBluetooth** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows the user to enable Bluetooth or restrict access. @@ -2860,22 +3464,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Connectivity/AllowCellularData** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows the cellular data channel on the device. Device reboot is not required to enforce the policy. @@ -2889,22 +3504,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Connectivity/AllowCellularDataRoaming** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy. @@ -2928,22 +3554,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Connectivity/AllowConnectedDevices** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies what type of underlying connections VPN is allowed to use. @@ -3060,22 +3729,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Connectivity/AllowVPNRoamingOverCellular** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Prevents the device from connecting to VPN when the device roams over cellular networks. @@ -3090,18 +3770,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Connectivity/HardenedUNCPaths** @@ -3225,6 +3893,29 @@ ADMX Info: **Cryptography/AllowFipsAlgorithmPolicy** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows or disallows the Federal Information Processing Standard (FIPS) policy. @@ -3237,22 +3928,33 @@ ADMX Info: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Cryptography/TLSCipherSuites** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. @@ -3260,22 +3962,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DataProtection/AllowDirectMemoryAccess** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled. @@ -3290,22 +4003,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **DataProtection/LegacySelectiveWipeID** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. @@ -4935,22 +6160,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/AlphanumericDevicePasswordRequired** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required). @@ -4976,22 +6212,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/DevicePasswordEnabled** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether device lock is enabled. @@ -5044,22 +6291,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/DevicePasswordExpiration** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies when the password expires (in days). @@ -5080,22 +6338,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/DevicePasswordHistory** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies how many passwords can be stored in the history that can’t be used. @@ -5118,22 +6387,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/EnforceLockScreenAndLogonImage** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | 1 |
+ 1 |
+ |
+ |
+
Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. @@ -5147,22 +6427,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeviceLock/EnforceLockScreenProvider** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider. @@ -5176,22 +6467,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeviceLock/MaxDevicePasswordFailedAttempts** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. @@ -5253,22 +6566,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ 2 |
+ 2 |
+
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display. @@ -5285,23 +6609,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: No -- Business: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeviceLock/MinDevicePasswordComplexCharacters** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. @@ -5380,22 +6714,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/MinDevicePasswordLength** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies the minimum number or characters required in the PIN or password. @@ -5419,18 +6764,6 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/PreventLockScreenSlideShow** @@ -5457,6 +6790,29 @@ ADMX Info: **DeviceLock/ScreenTimeoutWhileLocked** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. @@ -5510,23 +6878,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Display/TurnOnGdiDPIScalingForApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. @@ -5547,25 +6925,35 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/CloudPrintOAuthAuthority** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. +
Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.
The datatype is a string. @@ -5575,25 +6963,35 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/CloudPrintOAuthClientId** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. +
Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority.
The datatype is a string. @@ -5603,25 +7001,35 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/CloudPrintResourceId** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. +
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication.
The datatype is a string. @@ -5631,25 +7039,35 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails. +
Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers.
The datatype is a string. @@ -5659,25 +7077,35 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/DiscoveryMaxPrinterLimit** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails. +
Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point.
The datatype is an integer. @@ -5687,25 +7115,35 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/MopriaDiscoveryResourceId** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails. +
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication.
The datatype is a string. @@ -5715,19 +7153,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ErrorReporting/CustomizeConsentSettings** @@ -5946,6 +7371,29 @@ ADMX Info: **Experience/AllowCopyPaste** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device. @@ -6001,22 +7460,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowDeviceDiscovery** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows users to turn on/off device discovery UX. @@ -6032,38 +7502,34 @@ SKU Support: - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - - - -**Experience/AllowFindMyDevice** - - -
Added in Windows 10, version 1703. This policy turns on Find My Device feature. - -
When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. - -
When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. - - - - **Experience/AllowManualMDMUnenrollment** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether to allow the user to delete the workplace account using the workplace control panel. @@ -6082,22 +7548,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowSIMErrorDialogPromptWhenNoSIM** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). @@ -6176,18 +7675,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowTailoredExperiencesWithDiagnosticData** @@ -6217,6 +7704,29 @@ SKU Support: **Experience/AllowTaskSwitcher** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Prevents devices from showing feedback questions from Microsoft. @@ -6510,18 +8097,6 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Games/AllowAdvancedGamingServices** @@ -10338,6 +11913,29 @@ ADMX Info: **Licensing/AllowWindowsEntitlementReactivation** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices. @@ -10350,22 +11948,33 @@ ADMX Info: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Licensing/DisallowKMSClientOnlineAVSValidation** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. @@ -10378,22 +11987,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Location/EnableLocation** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page. @@ -10414,22 +12034,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes - - **LockDown/AllowEdgeSwipe** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch. @@ -10444,22 +12075,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Maps/AllowOfflineMapsDownloadOverMeteredConnection** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Allows the download and update of map data over metered connections. @@ -10475,22 +12117,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Maps/EnableOfflineMapsAutoUpdate** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Disables the automatic download and update of map data. @@ -10506,18 +12159,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Messaging/AllowMMS** @@ -10541,6 +12182,29 @@ SKU Support: **Messaging/AllowMessageSync** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. @@ -10553,18 +12217,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Messaging/AllowRCS** @@ -10588,6 +12240,29 @@ SKU Support: **NetworkIsolation/EnterpriseCloudResources** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**. @@ -10595,22 +12270,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseIPRange** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example: @@ -10627,22 +12313,33 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseIPRangesAreAuthoritative** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. @@ -10650,22 +12347,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseInternalProxyServers** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies. @@ -10673,22 +12381,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseNetworkDomainNames** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". @@ -10706,22 +12425,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseProxyServers** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". @@ -10729,22 +12459,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseProxyServersAreAuthoritative** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies. @@ -10752,22 +12493,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/NeutralResources** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
List of domain names that can used for work or personal resource. @@ -10775,22 +12527,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Notifications/DisallowNotificationMirroring** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Boolean value that turns off notification mirroring. @@ -10807,18 +12570,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Power/AllowStandbyWhenSleepingPluggedIn** @@ -10982,6 +12733,29 @@ ADMX Info: **Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. @@ -10996,22 +12770,33 @@ ADMX Info: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/AllowInputPersonalization** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Updated in the next major update of Windows 10. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users. @@ -11026,22 +12811,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/DisableAdvertisingId** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Enables or disables the Advertising ID. @@ -11057,22 +12853,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessAccountInfo** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. @@ -11088,22 +12895,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. @@ -11111,22 +12929,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. @@ -11134,22 +12963,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. @@ -11157,22 +12997,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCalendar** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. @@ -11188,22 +13039,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. @@ -11211,22 +13073,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. @@ -11234,22 +13107,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. @@ -11257,22 +13141,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCallHistory** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. @@ -11288,22 +13183,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. @@ -11311,22 +13217,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. @@ -11334,22 +13251,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. @@ -11357,22 +13285,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCamera** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. @@ -11388,22 +13327,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCamera_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. @@ -11411,22 +13361,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCamera_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. @@ -11434,22 +13395,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. @@ -11457,22 +13429,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessContacts** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. @@ -11488,22 +13471,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessContacts_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. @@ -11511,22 +13505,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessContacts_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. @@ -11534,22 +13539,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. @@ -11557,22 +13573,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessEmail** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access email. @@ -11588,22 +13615,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessEmail_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. @@ -11611,22 +13649,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessEmail_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. @@ -11634,22 +13683,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. @@ -11657,22 +13717,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessLocation** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access location. @@ -11688,22 +13759,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessLocation_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. @@ -11711,22 +13793,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessLocation_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. @@ -11734,22 +13827,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. @@ -11757,22 +13861,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMessaging** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). @@ -11788,22 +13903,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. @@ -11811,22 +13937,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. @@ -11834,22 +13971,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. @@ -11857,22 +14005,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMicrophone** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. @@ -11888,22 +14047,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. @@ -11911,22 +14081,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. @@ -11934,22 +14115,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. @@ -11957,22 +14149,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMotion** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. @@ -11988,22 +14191,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMotion_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. @@ -12011,22 +14225,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMotion_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. @@ -12034,22 +14259,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. @@ -12057,22 +14293,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessNotifications** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. @@ -12088,22 +14335,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. @@ -12111,22 +14369,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. @@ -12134,22 +14403,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. @@ -12157,22 +14437,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessPhone** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. @@ -12188,22 +14479,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessPhone_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. @@ -12211,22 +14513,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessPhone_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. @@ -12234,22 +14547,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. @@ -12257,22 +14581,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessRadios** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. @@ -12288,22 +14623,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessRadios_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. @@ -12311,22 +14657,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessRadios_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. @@ -12334,22 +14691,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. @@ -12357,22 +14725,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTasks** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. @@ -12380,22 +14759,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTasks_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. @@ -12403,22 +14793,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTasks_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. @@ -12426,22 +14827,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. @@ -12449,22 +14861,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTrustedDevices** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. @@ -12480,22 +14903,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. @@ -12503,22 +14937,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. @@ -12526,22 +14971,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. @@ -12549,22 +15005,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsGetDiagnosticInfo** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ + | 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. @@ -12580,22 +15047,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ + | 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. @@ -12603,22 +15081,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ + | 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. @@ -12626,22 +15115,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ + | 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. @@ -12649,22 +15149,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsRunInBackground** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ + | 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. @@ -12682,22 +15193,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsRunInBackground_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ + | 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. @@ -12705,22 +15227,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsRunInBackground_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ + | 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. @@ -12728,22 +15261,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ + | 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. @@ -12751,22 +15295,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsSyncWithDevices** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. @@ -12782,22 +15337,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -12805,22 +15371,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -12828,22 +15405,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -12851,18 +15439,6 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **RemoteAssistance/CustomizeWarningMessages** @@ -13233,6 +15809,29 @@ ADMX Info: **Search/AllowIndexingEncryptedStoresOrItems** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files. @@ -13251,22 +15850,33 @@ ADMX Info: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/AllowSearchToUseLocation** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether search can leverage location information. @@ -13281,22 +15891,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **Search/AllowUsingDiacritics** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows the use of diacritics. @@ -13311,22 +15932,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/AlwaysUseAutoLangDetection** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether to always use automatic language detection when indexing content and properties. @@ -13341,22 +15973,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/DisableBackoff** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled. @@ -13369,22 +16012,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/DisableRemovableDriveIndexing** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
This policy setting configures whether or not locations on removable drives can be added to libraries. @@ -13401,22 +16055,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/PreventIndexingLowDiskSpaceMB** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB. @@ -13433,22 +16098,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/PreventRemoteQueries** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.. @@ -13461,22 +16137,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/SafeSearchPermissions** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether to allow the runtime configuration agent to install provisioning packages. @@ -13523,22 +16221,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether to allow the runtime configuration agent to remove provisioning packages. @@ -13622,22 +16353,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Security/AntiTheftMode** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether provisioning packages must have a certificate signed by a device trusted authority. @@ -13753,22 +16528,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Security/RequireRetrieveHealthCertificateOnBoot** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. @@ -13792,22 +16578,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowAutoPlay** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows the user to change Data Sense settings. @@ -13856,22 +16664,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowDateTime** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows the user to change date and time settings. @@ -13884,22 +16703,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowEditDeviceName** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ 1 |
+ 1 |
+
Allows editing of the device name. @@ -13912,22 +16742,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowLanguage** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows the user to change VPN settings. @@ -14068,22 +16953,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowWorkplace** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows user to change account settings. @@ -14128,22 +17035,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/ConfigureTaskbarCalendar** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. @@ -14158,23 +17076,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/PageVisibilityList** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. @@ -14212,23 +17140,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **SmartScreen/EnableAppInstallControl** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store. @@ -14241,23 +17179,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **SmartScreen/EnableSmartScreenInShell** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows. @@ -14270,23 +17218,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **SmartScreen/PreventOverrideForFilesInShell** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files. @@ -14299,23 +17257,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Speech/AllowSpeechModelUpdate** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ + | 1 |
+ 1 |
+ 1 |
+ 1 |
+
Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). @@ -14328,22 +17296,33 @@ SKU Support: - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Start/ForceStartSize** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether set general purpose device to be in embedded mode. @@ -14871,21 +17883,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes - - **System/AllowExperimentation** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. @@ -14943,22 +17978,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes - - **System/AllowLocation** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether to allow app access to the Location service. @@ -14980,22 +18026,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/AllowStorageCard** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. @@ -15010,22 +18067,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **System/AllowTelemetry** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allow the device to send diagnostic and usage telemetry data, such as Watson. @@ -15095,22 +18163,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/AllowUserToResetPhone** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. @@ -15125,18 +18204,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/BootStartDriverInitialization** @@ -15159,6 +18226,29 @@ ADMX Info: **System/DisableOneDriveFileSync** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: @@ -15185,19 +18275,6 @@ ADMX Info: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/DisableSystemRestore** @@ -15230,6 +18307,29 @@ ADMX Info: **System/TelemetryProxy** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. @@ -15239,22 +18339,33 @@ ADMX Info: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **TextInput/AllowIMELogging** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ 1 |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ 1 |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ 1 |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ 1 |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. @@ -16197,19 +19560,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/EngagedRestartDeadline** @@ -16271,6 +19621,29 @@ SKU Support: **Update/ExcludeWUDriversInQualityUpdate** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). @@ -16319,23 +19703,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/IgnoreMOAppDownloadLimit** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. @@ -16362,23 +19756,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/IgnoreMOUpdateDownloadLimit** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. @@ -16403,23 +19807,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/PauseDeferrals** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ + | 2 |
+ 2 |
+ |
+ 2 |
+
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. @@ -16500,22 +19936,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/PauseQualityUpdates** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ 1 |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ + | 2 |
+ 2 |
+ |
+ 2 |
+
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. @@ -16556,22 +20014,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/RequireDeferUpgrade** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. @@ -16792,23 +20305,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/UpdateServiceUrl** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allow or disallow the device to automatically connect to Wi-Fi hotspots. @@ -16924,22 +20469,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Wifi/AllowInternetSharing** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allow or disallow internet sharing. @@ -16954,22 +20510,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Wifi/AllowManualWiFiConfiguration** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. @@ -16988,22 +20555,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Wifi/AllowWiFi** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
Allow or disallow WiFi connection. @@ -17018,22 +20596,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Wifi/AllowWiFiDirect** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. Allow WiFi Direct connection.. @@ -17044,23 +20633,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Wifi/WLANScanMode** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ + | |
+ |
+ |
+ |
+
Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. @@ -17074,22 +20673,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace. @@ -17102,22 +20712,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WindowsInkWorkspace/AllowWindowsInkWorkspace** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace. @@ -17131,18 +20752,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WindowsLogon/DisableLockScreenAppNotifications** @@ -17191,6 +20800,29 @@ ADMX Info: **WindowsLogon/HideFastUserSwitching** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ + | 2 |
+ 2 |
+ |
+ |
+
Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. @@ -17208,22 +20840,33 @@ ADMX Info: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowProjectionFromPC** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC. @@ -17234,23 +20877,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowProjectionFromPCOverInfrastructure** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure. @@ -17261,23 +20914,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowProjectionToPC** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC. @@ -17292,22 +20955,33 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowProjectionToPCOverInfrastructure** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure. @@ -17318,19 +20992,6 @@ SKU Support: - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** @@ -17342,15 +21003,33 @@ SKU Support: - -SKU Support: -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/RequirePinForPairing** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ + | 1 |
+ 1 |
+ |
+ |
+
Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing. @@ -17363,23 +21042,92 @@ SKU Support: - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. + + +## IoT Core Support + +[ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) +[Authentication/AllowFastReconnect](#authentication-allowfastreconnect) +[Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +[Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +[Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +[Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) +[Browser/AllowAutofill](#browser-allowautofill) +[Browser/AllowBrowser](#browser-allowbrowser) +[Browser/AllowCookies](#browser-allowcookies) +[Browser/AllowDoNotTrack](#browser-allowdonottrack) +[Browser/AllowInPrivate](#browser-allowinprivate) +[Browser/AllowPasswordManager](#browser-allowpasswordmanager) +[Browser/AllowPopups](#browser-allowpopups) +[Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +[Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) +[Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) +[Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) +[Camera/AllowCamera](#camera-allowcamera) +[Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +[Connectivity/AllowNFC](#connectivity-allownfc) +[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +[Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) +[Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) +[DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) +[Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) +[Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) +[Security/RequireDeviceEncryption](#security-requiredeviceencryption) +[Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) +[System/AllowEmbeddedMode](#system-allowembeddedmode) +[System/AllowStorageCard](#system-allowstoragecard) +[System/TelemetryProxy](#system-telemetryproxy) +[Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) +[Update/AllowUpdateService](#update-allowupdateservice) +[Update/PauseDeferrals](#update-pausedeferrals) +[Update/RequireDeferUpgrade](#update-requiredeferupgrade) +[Update/RequireUpdateApproval](#update-requireupdateapproval) +[Update/ScheduledInstallDay](#update-scheduledinstallday) +[Update/ScheduledInstallTime](#update-scheduledinstalltime) +[Update/UpdateServiceUrl](#update-updateserviceurl) +[Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) +[Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +[Wifi/AllowWiFi](#wifi-allowwifi) +[Wifi/WLANScanMode](#wifi-wlanscanmode) + + + +## Can be set using Exchange Active Sync (EAS) + +[Browser/AllowBrowser](#browser-allowbrowser) +[Camera/AllowCamera](#camera-allowcamera) +[Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +[DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) +[DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) +[DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) +[DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) +[DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) +[DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) +[DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) +[DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) +[DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) +[Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) +[Security/RequireDeviceEncryption](#security-requiredeviceencryption) +[System/AllowStorageCard](#system-allowstoragecard) +[System/TelemetryProxy](#system-telemetryproxy) +[Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +[Wifi/AllowWiFi](#wifi-allowwifi) + + ## Examples diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index b01537fa06..87134c472f 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -73,16 +73,23 @@ MBR2GPT: Validation completed successfully In the following example: -1. The current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. +1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. 2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. 2. The MBR2GPT tool is used to convert disk 0. -3. The DISKPART tool displays that disk 0 is now using the GPT format. +3. The DiskPart tool displays that disk 0 is now using the GPT format. 4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). 5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. >As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. ``` +X:\>DiskPart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + DISKPART> list volume Volume ### Ltr Label Fs Type Size Status Info @@ -140,7 +147,7 @@ MBR2GPT: Fixing drive letter mapping MBR2GPT: Conversion completed successfully MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode! -X:\>diskpart +X:\>DiskPart Microsoft DiskPart version 10.0.15048.0 @@ -364,9 +371,16 @@ You can also view the partition type of a disk by opening the Disk Management to  -If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the diskpart tool. To determine the partition style, type **diskpart** and then type **list disk**. See the following example: +If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: ``` +X:\>DiskPart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + DISKPART> list disk Disk ### Status Size Free Dyn Gpt diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 2df47d49ca..18983b1998 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -44,7 +44,7 @@ With Windows Update for Business, you can set a device to be on either the Curre | GPO for version 1607 and above: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | | GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade | | MDM for version 1607 and above: ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | -| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**RequireDeferredUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | +| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | Starting with version 1703, users are able to configure their device's branch readiness level, by going to **Settings > Update & security > Windows Update > Advanced options**. diff --git a/windows/deployment/update/waas-servicing-branches-windows-10-updates.md b/windows/deployment/update/waas-servicing-branches-windows-10-updates.md index 494677a20d..964db9c8fc 100644 --- a/windows/deployment/update/waas-servicing-branches-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-branches-windows-10-updates.md @@ -60,7 +60,7 @@ Current Branch is the default servicing branch for all Windows 10 devices except - In Windows 10, version 1511: - ../Vendor/MSFT/Policy/Config/Update/**RequireDeferredUpgrade** + ../Vendor/MSFT/Policy/Config/Update/**RequireDeferUpgrade** - In Windows 10, version 1607: @@ -70,7 +70,7 @@ Current Branch is the default servicing branch for all Windows 10 devices except - In Windows 10 Mobile Enterprise, version 1511: - ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade + ../Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade - In Windows 10 Mobile Enterprise, version 1607: