diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 980f6c13e1..c83c0c3811 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,11 +7,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/26/2018 +ms.date: 07/03/2018 --- # Policy CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 7c5fa15587..624c67cddb 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -7,12 +7,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/26/2018 +ms.date: 07/03/2018 --- # Policy DDF file - +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **Policy** configuration service provider. DDF files are used only with OMA DM provisioning XML. @@ -25,7 +26,7 @@ You can download the DDF files from the links below: - [Download the Policy DDF file for Windows 10, version 1607 release 8C](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) - [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download) -The XML below is the DDF for Windows 10, version 1803. +The XML below is the DDF for Windows 10, next major version. ``` syntax @@ -51,7 +52,7 @@ The XML below is the DDF for Windows 10, version 1803. - com.microsoft/7.0/MDM/Policy + com.microsoft/8.0/MDM/Policy @@ -640,6 +641,34 @@ The XML below is the DDF for Windows 10, version 1803. + + AllowFullScreenMode + + + + + + + + With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. + +If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. + +If disabled, full-screen mode is unavailable for use in Microsoft Edge. + + + + + + + + + + + text/plain + + + AllowInPrivate @@ -673,7 +702,7 @@ The XML below is the DDF for Windows 10, version 1803. - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. + This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. @@ -740,6 +769,86 @@ If you disable this setting, the Microsoft Compatibility List will not be used d + + AllowPrelaunch + + + + + + + + Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + + + AllowPrinting + + + + + + + + With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. + +If enabled, printing is allowed. + +If disabled, printing is not allowed. + + + + + + + + + + + text/plain + + + + + AllowSavingHistory + + + + + + + + Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. + +If enabled or not configured, the browsing history is saved and visible in the History pane. + +If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. + + + + + + + + + + + text/plain + + + AllowSearchEngineCustomization @@ -793,6 +902,30 @@ This policy will only apply on domain joined machines or when the device is MDM + + AllowSideloadingOfExtensions + + + + + + + + This setting lets you decide whether employees can sideload extensions in Microsoft Edge. + + + + + + + + + + + text/plain + + + AllowSmartScreen @@ -817,6 +950,60 @@ This policy will only apply on domain joined machines or when the device is MDM + + AllowTabPreloading + + + + + + + + Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + + + AllowWebContentOnNewTabPage + + + + + + + + This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. + +If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. + +If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. + +If you don't configure this setting, employees can choose how new tabs appears. + + + + + + + + + + + text/plain + + + AlwaysEnableBooksLibrary @@ -878,7 +1065,7 @@ This policy will only apply on domain joined machines or when the device is MDM If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. +If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. @@ -895,6 +1082,203 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + ConfigureFavoritesBar + + + + + + + + The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. + +If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. + +If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. + +If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. + + + + + + + + + + + text/plain + + + + + ConfigureHomeButton + + + + + + + + The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. + +By default, this policy is disabled or not configured and clicking the home button loads the default Start page. + +When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. + +If Enabled AND: +- Show home button & set to Start page is selected, clicking the home button loads the Start page. +- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. +- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. +- Hide home button is selected, the home button is hidden in Microsoft Edge. + +Default setting: Disabled or not configured +Related policies: +- Set Home Button URL +- Unlock Home Button + + + + + + + + + + + text/plain + + + + + ConfigureKioskMode + + + + + + + + Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. + +You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). + +If enabled and set to 0 (Default or not configured): +- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. +- If it’s one of many apps, Microsoft Edge runs as normal. +If enabled and set to 1: +- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. +- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. + + + + + + + + + + + text/plain + + + + + ConfigureKioskResetAfterIdleTimeout + + + + + + + + You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. + +If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. + +If you set this policy to 0, Microsoft Edge does not use an idle timer. + +If disabled or not configured, the default value is 5 minutes. + +If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. + + + + + + + + + + + text/plain + + + + + ConfigureOpenMicrosoftEdgeWith + + + + + + + + You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. + +If enabled, you can choose one of the following options: +- Start page: the Start page loads ignoring the Configure Start Pages policy. +- New tab page: the New tab page loads ignoring the Configure Start Pages policy. +- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. +- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. + +When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. + +If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. + +Default setting: A specific page or pages (default) +Related policies: +-Disable Lockdown of Start Pages +-Configure Start Pages + + + + + + + + + + + text/plain + + + + + ConfigureTelemetryForMicrosoft365Analytics + + + + + + + + Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. + + + + + + + + + + + text/plain + + + DisableLockdownOfStartPages @@ -904,12 +1288,14 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect. + You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. -Note: This policy has no effect when Browser/HomePages is not configured. +If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. -Important -This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Start Pages +- Configure Open Microsoft Edge With @@ -1020,6 +1406,30 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo + + ForceEnabledExtensions + + + + + + + + This setting lets you decide which extensions should be always enabled. + + + + + + + + + + + text/plain + + + HomePages @@ -1029,12 +1439,24 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo - Configure the Start page URLs for your employees. -Example: -If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. -Encapsulate each string with greater than and less than characters like any other XML tag. + When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. -Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. +If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: + + <support.contoso.com><support.microsoft.com> + +If disabled or not configured, the webpages specified in App settings loads as the default Start pages. + +Version 1703 or later: +If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. + +Version 1809: +If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. + +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Open Microsoft Edge With +- Disable Lockdown of Start Pages @@ -1060,12 +1482,12 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, you ca This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. +If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. +If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. @@ -1089,7 +1511,35 @@ If you disable or don't configure this setting (default), employees can add, imp - Prevent access to the about:flags page in Microsoft Edge. + Prevent access to the about:flags page in Microsoft Edge. + + + + + + + + + + + text/plain + + + + + PreventCertErrorOverrides + + + + + + + + Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. + +If enabled, overriding certificate errors are not allowed. + +If disabled or not configured, overriding certificate errors are allowed. @@ -1165,7 +1615,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Don't allow Windows Defender SmartScreen warning overrides + Don't allow Windows Defender SmartScreen warning overrides @@ -1189,31 +1639,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - - - PreventTabPreloading - - - - - - - - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + Don't allow Windows Defender SmartScreen warning overrides for unverified files. @@ -1263,12 +1689,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. +If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. +If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. @@ -1337,6 +1763,66 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + SetHomeButtonURL + + + + + + + + The home button can be configured to load a custom URL when your user clicks the home button. + +If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. + +Default setting: Blank or not configured +Related policy: Configure Home Button + + + + + + + + + + + text/plain + + + + + SetNewTabPageURL + + + + + + + + You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. + +If enabled, you can set the default New Tab page URL. + +If disabled or not configured, the default Microsoft Edge new tab page is used. + +Default setting: Disabled or not configured +Related policy: Allow web content on New Tab page + + + + + + + + + + + text/plain + + + ShowMessageWhenOpeningSitesInInternetExplorer @@ -1346,7 +1832,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Show message when opening sites in Internet Explorer + You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. + +If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. + +If disabled or not configured, the default app behavior occurs and no additional page displays. + +Default setting: Disabled or not configured +Related policies: +-Configure the Enterprise Mode Site List +-Send all intranet sites to Internet Explorer 11 @@ -1385,6 +1880,39 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + UnlockHomeButton + + + + + + + + By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. + +If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. + +If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. + +Default setting: Disabled or not configured +Related policy: +-Configure Home Button +-Set Home Button URL + + + + + + + + + + + text/plain + + + UseSharedFolderForBooks @@ -1578,7 +2106,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - This policy sets user's default printer + This policy sets user's default printer @@ -7882,7 +8410,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Enable/disable kiosk browser's end session button. + Enable/disable kiosk browser's end session button. @@ -7906,7 +8434,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Enable/disable kiosk browser's home button. + Enable/disable kiosk browser's home button. @@ -7930,7 +8458,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Enable/disable kiosk browser's navigation buttons (forward/back). + Enable/disable kiosk browser's navigation buttons (forward/back). @@ -8086,6 +8614,52 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + Security + + + + + + + + + + + + + + + + + + + + + RecoveryEnvironmentAuthentication + + + + + + + + This policy controls the requirement of Admin Authentication in RecoveryEnvironment. + + + + + + + + + + + text/plain + + + + Settings @@ -8131,6 +8705,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + PageVisibilityList + + + + + + + + + + + + + + + + + + + text/plain + + + Start @@ -8177,6 +8775,78 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + ForceStartSize + + + + + + + + + + + + + + + + + + + text/plain + + + + + HideAppList + + + + + + + + Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + + + HideFrequentlyUsedApps + + + + + + + + Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + HidePeopleBar @@ -8201,6 +8871,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + HideRecentJumplists + + + + + + + + Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + + + HideRecentlyAddedApps + + + + + + + + Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + StartLayout @@ -8949,6 +9667,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on HighestValueMostSecure + + AllowFullScreenMode + + + + + 1 + With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. + +If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. + +If disabled, full-screen mode is unavailable for use in Microsoft Edge. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowFullScreenMode + LowestValueMostSecure + + AllowInPrivate @@ -8983,7 +9732,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 1 - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. + This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. @@ -9062,6 +9811,97 @@ If you disable this setting, the Microsoft Compatibility List will not be used d LowestValueMostSecure + + AllowPrelaunch + + + + + 1 + Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowPrelaunch + LowestValueMostSecure + + + + AllowPrinting + + + + + 1 + With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. + +If enabled, printing is allowed. + +If disabled, printing is not allowed. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowPrinting + LowestValueMostSecure + + + + AllowSavingHistory + + + + + 1 + Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. + +If enabled or not configured, the browsing history is saved and visible in the History pane. + +If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowSavingHistory + LowestValueMostSecure + + AllowSearchEngineCustomization @@ -9121,6 +9961,34 @@ This policy will only apply on domain joined machines or when the device is MDM LowestValueMostSecure + + AllowSideloadingOfExtensions + + + + + 1 + This setting lets you decide whether employees can sideload extensions in Microsoft Edge. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowSideloadingOfExtensions + LowestValueMostSecure + + AllowSmartScreen @@ -9148,6 +10016,67 @@ This policy will only apply on domain joined machines or when the device is MDM LowestValueMostSecure + + AllowTabPreloading + + + + + 1 + Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowTabPreloading + LowestValueMostSecure + + + + AllowWebContentOnNewTabPage + + + + + 1 + This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. + +If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. + +If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. + +If you don't configure this setting, employees can choose how new tabs appears. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowWebContentOnNewTabPage + LowestValueMostSecure + + AlwaysEnableBooksLibrary @@ -9214,7 +10143,7 @@ This policy will only apply on domain joined machines or when the device is MDM If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. +If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. @@ -9237,18 +10166,99 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - DisableLockdownOfStartPages + ConfigureFavoritesBar + + + + + + The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. + +If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. + +If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. + +If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureFavoritesBar + LowestValueMostSecure + + + + ConfigureHomeButton 0 - Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect. + The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. -Note: This policy has no effect when Browser/HomePages is not configured. +By default, this policy is disabled or not configured and clicking the home button loads the default Start page. -Important -This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). +When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. + +If Enabled AND: +- Show home button & set to Start page is selected, clicking the home button loads the Start page. +- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. +- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. +- Hide home button is selected, the home button is hidden in Microsoft Edge. + +Default setting: Disabled or not configured +Related policies: +- Set Home Button URL +- Unlock Home Button + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + ConfigureHomeButtonDropdown + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureHomeButton + LastWrite + + + + ConfigureKioskMode + + + + + 0 + Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. + +You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). + +If enabled and set to 0 (Default or not configured): +- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. +- If it’s one of many apps, Microsoft Edge runs as normal. +If enabled and set to 1: +- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. +- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. @@ -9264,6 +10274,152 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo phone MicrosoftEdge.admx + ConfigureKioskMode_TextBox + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureKioskMode + LastWrite + + + + ConfigureKioskResetAfterIdleTimeout + + + + + 5 + You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. + +If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. + +If you set this policy to 0, Microsoft Edge does not use an idle timer. + +If disabled or not configured, the default value is 5 minutes. + +If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + ConfigureKioskResetAfterIdleTimeout_TextBox + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureKioskResetAfterIdleTimeout + LastWrite + + + + ConfigureOpenMicrosoftEdgeWith + + + + + 3 + You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. + +If enabled, you can choose one of the following options: +- Start page: the Start page loads ignoring the Configure Start Pages policy. +- New tab page: the New tab page loads ignoring the Configure Start Pages policy. +- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. +- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. + +When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. + +If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. + +Default setting: A specific page or pages (default) +Related policies: +-Disable Lockdown of Start Pages +-Configure Start Pages + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + ConfigureOpenEdgeWithListBox + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureOpenEdgeWith + LastWrite + + + + ConfigureTelemetryForMicrosoft365Analytics + + + + + 0 + Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + ZonesListBox + MicrosoftEdge~AT~WindowsComponents~DataCollectionAndPreviewBuilds + ConfigureTelemetryForMicrosoft365Analytics + LowestValueMostSecure + + + + DisableLockdownOfStartPages + + + + + 0 + You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. + +If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. + +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Start Pages +- Configure Open Microsoft Edge With + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + DisableLockdownOfStartPagesListBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge DisableLockdownOfStartPages LowestValueMostSecure @@ -9372,6 +10528,34 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo LastWrite + + ForceEnabledExtensions + + + + + + This setting lets you decide which extensions should be always enabled. + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + ForceEnabledExtensions_List + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ForceEnabledExtensions + LastWrite + + HomePages @@ -9379,12 +10563,24 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo - Configure the Start page URLs for your employees. -Example: -If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. -Encapsulate each string with greater than and less than characters like any other XML tag. + When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. -Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. +If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: + + <support.contoso.com><support.microsoft.com> + +If disabled or not configured, the webpages specified in App settings loads as the default Start pages. + +Version 1703 or later: +If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. + +Version 1809: +If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. + +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Open Microsoft Edge With +- Disable Lockdown of Start Pages @@ -9414,12 +10610,12 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, you ca 0 This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. +If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. +If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. @@ -9446,7 +10642,7 @@ If you disable or don't configure this setting (default), employees can add, imp 0 - Prevent access to the about:flags page in Microsoft Edge. + Prevent access to the about:flags page in Microsoft Edge. @@ -9466,6 +10662,37 @@ If you disable or don't configure this setting (default), employees can add, imp HighestValueMostSecure + + PreventCertErrorOverrides + + + + + 0 + Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. + +If enabled, overriding certificate errors are not allowed. + +If disabled or not configured, overriding certificate errors are allowed. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + PreventCertErrorOverrides + HighestValueMostSecure + + PreventFirstRunPage @@ -9532,7 +10759,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Don't allow Windows Defender SmartScreen warning overrides + Don't allow Windows Defender SmartScreen warning overrides @@ -9559,7 +10786,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Don't allow Windows Defender SmartScreen warning overrides for unverified files. + Don't allow Windows Defender SmartScreen warning overrides for unverified files. @@ -9579,34 +10806,6 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on HighestValueMostSecure - - PreventTabPreloading - - - - - 0 - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventTabPreloading - HighestValueMostSecure - - PreventUsingLocalHostIPAddressForWebRTC @@ -9643,12 +10842,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. +If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. +If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. @@ -9729,6 +10928,74 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + SetHomeButtonURL + + + + + + The home button can be configured to load a custom URL when your user clicks the home button. + +If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. + +Default setting: Blank or not configured +Related policy: Configure Home Button + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + SetHomeButtonURLPrompt + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + SetHomeButtonURL + LastWrite + + + + SetNewTabPageURL + + + + + + You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. + +If enabled, you can set the default New Tab page URL. + +If disabled or not configured, the default Microsoft Edge new tab page is used. + +Default setting: Disabled or not configured +Related policy: Allow web content on New Tab page + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + SetNewTabPageURLPrompt + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + SetNewTabPageURL + LastWrite + + ShowMessageWhenOpeningSitesInInternetExplorer @@ -9736,7 +11003,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Show message when opening sites in Internet Explorer + You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. + +If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. + +If disabled or not configured, the default app behavior occurs and no additional page displays. + +Default setting: Disabled or not configured +Related policies: +-Configure the Enterprise Mode Site List +-Send all intranet sites to Internet Explorer 11 @@ -9749,7 +11025,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain - + phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge @@ -9785,6 +11061,43 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LowestValueMostSecure + + UnlockHomeButton + + + + + 0 + By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. + +If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. + +If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. + +Default setting: Disabled or not configured +Related policy: +-Configure Home Button +-Set Home Button URL + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + UnlockHomeButton + LowestValueMostSecure + + UseSharedFolderForBooks @@ -9982,7 +11295,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - This policy sets user's default printer + This policy sets user's default printer @@ -17018,7 +18331,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Enable/disable kiosk browser's end session button. + Enable/disable kiosk browser's end session button. @@ -17043,7 +18356,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Enable/disable kiosk browser's home button. + Enable/disable kiosk browser's home button. @@ -17068,7 +18381,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Enable/disable kiosk browser's navigation buttons (forward/back). + Enable/disable kiosk browser's navigation buttons (forward/back). @@ -17233,6 +18546,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + Security + + + + + + + + + + + + + + + + + + + RecoveryEnvironmentAuthentication + + + + + 0 + This policy controls the requirement of Admin Authentication in RecoveryEnvironment. + + + + + + + + + + + text/plain + + + phone + LastWrite + + + Settings @@ -17279,6 +18637,33 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + PageVisibilityList + + + + + + + + + + + + + + + + + text/plain + + ControlPanel.admx + SettingsPageVisibilityBox + ControlPanel~AT~ControlPanel + SettingsPageVisibility + LastWrite + + Start @@ -17327,6 +18712,87 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LowestValueMostSecure + + ForceStartSize + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + StartMenu.admx + StartMenu~AT~StartMenu + ForceStartSize + LastWrite + + + + HideAppList + + + + + 0 + Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + phone + LastWrite + + + + HideFrequentlyUsedApps + + + + + 0 + Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + phone + StartMenu.admx + StartMenu~AT~StartMenu + NoFrequentUsedPrograms + LowestValueMostSecure + + HidePeopleBar @@ -17355,6 +18821,62 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LowestValueMostSecure + + HideRecentJumplists + + + + + 0 + Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + phone + StartMenu.admx + StartMenu~AT~StartMenu + NoRecentDocsHistory + LowestValueMostSecure + + + + HideRecentlyAddedApps + + + + + 0 + Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + phone + StartMenu.admx + StartMenu~AT~StartMenu + HideRecentlyAddedApps + LowestValueMostSecure + + StartLayout @@ -17497,7 +19019,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - com.microsoft/7.0/MDM/Policy + com.microsoft/8.0/MDM/Policy @@ -18177,6 +19699,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + LaunchAppAfterLogOn + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. + + + + + + + + + + + text/plain + + + MSIAllowUserControlOverInstall @@ -18297,6 +19843,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + ScheduleForceRestartForUpdateFailures + + + + + + + + + + + + + + + + + + + text/plain + + + AppRuntime @@ -19131,6 +20701,78 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + EnableFastFirstSignIn + + + + + + + + Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts + + + + + + + + + + + text/plain + + + + + EnableWebSignIn + + + + + + + + Specifies whether web-based sign in is allowed for logging in to Windows + + + + + + + + + + + text/plain + + + + + PreferredAadTenantDomainName + + + + + + + + Specifies the preferred domain among available domains in the AAD tenant. + + + + + + + + + + + text/plain + + + Autoplay @@ -19272,6 +20914,172 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + BITS + + + + + + + + + + + + + + + + + + + + + BandwidthThrottlingEndTime + + + + + + + + + + + + + + + + + + + text/plain + + + + + BandwidthThrottlingStartTime + + + + + + + + + + + + + + + + + + + text/plain + + + + + BandwidthThrottlingTransferRate + + + + + + + + + + + + + + + + + + + text/plain + + + + + CostedNetworkBehaviorBackgroundPriority + + + + + + + + + + + + + + + + + + + text/plain + + + + + CostedNetworkBehaviorForegroundPriority + + + + + + + + + + + + + + + + + + + text/plain + + + + + JobInactivityTimeout + + + + + + + + + + + + + + + + + + + text/plain + + + + Bluetooth @@ -19699,6 +21507,34 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + AllowFullScreenMode + + + + + + + + With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. + +If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. + +If disabled, full-screen mode is unavailable for use in Microsoft Edge. + + + + + + + + + + + text/plain + + + AllowInPrivate @@ -19732,7 +21568,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. + This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. @@ -19799,6 +21635,86 @@ If you disable this setting, the Microsoft Compatibility List will not be used d + + AllowPrelaunch + + + + + + + + Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + + + AllowPrinting + + + + + + + + With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. + +If enabled, printing is allowed. + +If disabled, printing is not allowed. + + + + + + + + + + + text/plain + + + + + AllowSavingHistory + + + + + + + + Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. + +If enabled or not configured, the browsing history is saved and visible in the History pane. + +If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. + + + + + + + + + + + text/plain + + + AllowSearchEngineCustomization @@ -19852,6 +21768,30 @@ This policy will only apply on domain joined machines or when the device is MDM + + AllowSideloadingOfExtensions + + + + + + + + This setting lets you decide whether employees can sideload extensions in Microsoft Edge. + + + + + + + + + + + text/plain + + + AllowSmartScreen @@ -19876,6 +21816,60 @@ This policy will only apply on domain joined machines or when the device is MDM + + AllowTabPreloading + + + + + + + + Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + + + AllowWebContentOnNewTabPage + + + + + + + + This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. + +If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. + +If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. + +If you don't configure this setting, employees can choose how new tabs appears. + + + + + + + + + + + text/plain + + + AlwaysEnableBooksLibrary @@ -19937,7 +21931,7 @@ This policy will only apply on domain joined machines or when the device is MDM If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. +If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. @@ -19954,6 +21948,203 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + ConfigureFavoritesBar + + + + + + + + The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. + +If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. + +If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. + +If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. + + + + + + + + + + + text/plain + + + + + ConfigureHomeButton + + + + + + + + The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. + +By default, this policy is disabled or not configured and clicking the home button loads the default Start page. + +When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. + +If Enabled AND: +- Show home button & set to Start page is selected, clicking the home button loads the Start page. +- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. +- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. +- Hide home button is selected, the home button is hidden in Microsoft Edge. + +Default setting: Disabled or not configured +Related policies: +- Set Home Button URL +- Unlock Home Button + + + + + + + + + + + text/plain + + + + + ConfigureKioskMode + + + + + + + + Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. + +You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). + +If enabled and set to 0 (Default or not configured): +- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. +- If it’s one of many apps, Microsoft Edge runs as normal. +If enabled and set to 1: +- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. +- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. + + + + + + + + + + + text/plain + + + + + ConfigureKioskResetAfterIdleTimeout + + + + + + + + You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. + +If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. + +If you set this policy to 0, Microsoft Edge does not use an idle timer. + +If disabled or not configured, the default value is 5 minutes. + +If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. + + + + + + + + + + + text/plain + + + + + ConfigureOpenMicrosoftEdgeWith + + + + + + + + You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. + +If enabled, you can choose one of the following options: +- Start page: the Start page loads ignoring the Configure Start Pages policy. +- New tab page: the New tab page loads ignoring the Configure Start Pages policy. +- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. +- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. + +When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. + +If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. + +Default setting: A specific page or pages (default) +Related policies: +-Disable Lockdown of Start Pages +-Configure Start Pages + + + + + + + + + + + text/plain + + + + + ConfigureTelemetryForMicrosoft365Analytics + + + + + + + + Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. + + + + + + + + + + + text/plain + + + DisableLockdownOfStartPages @@ -19963,12 +22154,14 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect. + You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. -Note: This policy has no effect when Browser/HomePages is not configured. +If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. -Important -This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Start Pages +- Configure Open Microsoft Edge With @@ -20079,6 +22272,30 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo + + ForceEnabledExtensions + + + + + + + + This setting lets you decide which extensions should be always enabled. + + + + + + + + + + + text/plain + + + HomePages @@ -20088,12 +22305,24 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo - Configure the Start page URLs for your employees. -Example: -If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. -Encapsulate each string with greater than and less than characters like any other XML tag. + When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. -Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. +If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: + + <support.contoso.com><support.microsoft.com> + +If disabled or not configured, the webpages specified in App settings loads as the default Start pages. + +Version 1703 or later: +If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. + +Version 1809: +If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. + +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Open Microsoft Edge With +- Disable Lockdown of Start Pages @@ -20119,12 +22348,12 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, you ca This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. +If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. +If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. @@ -20148,7 +22377,35 @@ If you disable or don't configure this setting (default), employees can add, imp - Prevent access to the about:flags page in Microsoft Edge. + Prevent access to the about:flags page in Microsoft Edge. + + + + + + + + + + + text/plain + + + + + PreventCertErrorOverrides + + + + + + + + Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. + +If enabled, overriding certificate errors are not allowed. + +If disabled or not configured, overriding certificate errors are allowed. @@ -20224,7 +22481,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Don't allow Windows Defender SmartScreen warning overrides + Don't allow Windows Defender SmartScreen warning overrides @@ -20248,31 +22505,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - - - PreventTabPreloading - - - - - - - - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + Don't allow Windows Defender SmartScreen warning overrides for unverified files. @@ -20322,12 +22555,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. +If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. +If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. @@ -20396,6 +22629,66 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + SetHomeButtonURL + + + + + + + + The home button can be configured to load a custom URL when your user clicks the home button. + +If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. + +Default setting: Blank or not configured +Related policy: Configure Home Button + + + + + + + + + + + text/plain + + + + + SetNewTabPageURL + + + + + + + + You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. + +If enabled, you can set the default New Tab page URL. + +If disabled or not configured, the default Microsoft Edge new tab page is used. + +Default setting: Disabled or not configured +Related policy: Allow web content on New Tab page + + + + + + + + + + + text/plain + + + ShowMessageWhenOpeningSitesInInternetExplorer @@ -20405,7 +22698,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Show message when opening sites in Internet Explorer + You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. + +If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. + +If disabled or not configured, the default app behavior occurs and no additional page displays. + +Default setting: Disabled or not configured +Related policies: +-Configure the Enterprise Mode Site List +-Send all intranet sites to Internet Explorer 11 @@ -20444,6 +22746,39 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + UnlockHomeButton + + + + + + + + By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. + +If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. + +If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. + +Default setting: Disabled or not configured +Related policy: +-Configure Home Button +-Set Home Button URL + + + + + + + + + + + text/plain + + + UseSharedFolderForBooks @@ -21064,10 +23399,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + - If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC + If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. @@ -21908,6 +24244,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + CheckForSignaturesBeforeRunningScan + + + + + + + + + + + + + + + + + + + text/plain + + + CloudBlockLevel @@ -22028,6 +24388,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + DisableCatchupFullScan + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableCatchupQuickScan + + + + + + + + + + + + + + + + + + + text/plain + + + EnableControlledFolderAccess @@ -22052,6 +24460,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + EnableLowCPUPriority + + + + + + + + + + + + + + + + + + + text/plain + + + EnableNetworkProtection @@ -22292,6 +24724,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + SignatureUpdateFallbackOrder + + + + + + + + + + + + + + + + + + + text/plain + + + + + SignatureUpdateFileSharesSources + + + + + + + + + + + + + + + + + + + text/plain + + + SignatureUpdateInterval @@ -22434,6 +24914,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + DOCacheHost + + + + + + + + + + + + + + + + + + + text/plain + + + DODelayBackgroundDownloadFromHttp @@ -22984,6 +25488,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + EnableSystemGuard + + + + + + + + Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. + + + + + + + + + + + text/plain + + + EnableVirtualizationBasedSecurity @@ -23078,6 +25606,102 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + AllowInstallationOfMatchingDeviceIDs + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowInstallationOfMatchingDeviceSetupClasses + + + + + + + + + + + + + + + + + + + text/plain + + + + + PreventDeviceMetadataFromNetwork + + + + + + + + + + + + + + + + + + + text/plain + + + + + PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + + + + + + + + + + + + + + + + + + + text/plain + + + PreventInstallationOfMatchingDeviceIDs @@ -23727,6 +26351,52 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + DmaGuard + + + + + + + + + + + + + + + + + + + + + DeviceEnumerationPolicy + + + + + + + + + + + + + + + + + + + text/plain + + + + ErrorReporting @@ -24008,6 +26678,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + AllowClipboardHistory + + + + + + + + Allows history of clipboard items to be stored in memory. + + + + + + + + + + + text/plain + + + AllowCopyPaste @@ -24368,6 +27062,58 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + DoNotSyncBrowserSetting + + + + + + + + You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. + Related policy: PreventUsersFromTurningOnBrowserSyncing + 0 (default) = allow syncing, 2 = disable syncing + + + + + + + + + + + text/plain + + + + + PreventUsersFromTurningOnBrowserSyncing + + + + + + + + You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. + Related policy: DoNotSyncBrowserSetting + 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing + + + + + + + + + + + text/plain + + + ExploitGuard @@ -30572,6 +33318,32 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + UPNNameHints + + + + + + + + Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. + + This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. + + + + + + + + + + + text/plain + + + KioskBrowser @@ -30675,7 +33447,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - Enable/disable kiosk browser's end session button. + Enable/disable kiosk browser's end session button. @@ -30699,7 +33471,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - Enable/disable kiosk browser's home button. + Enable/disable kiosk browser's home button. @@ -30723,7 +33495,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - Enable/disable kiosk browser's navigation buttons (forward/back). + Enable/disable kiosk browser's navigation buttons (forward/back). @@ -30911,9 +33683,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor This policy setting prevents users from adding new Microsoft accounts on this computer. -If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. +If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. -If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. +If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. @@ -31002,7 +33774,7 @@ Note: If the Guest account is disabled and the security option Network Access: S Accounts: Limit local account use of blank passwords to console logon only -This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. +This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Enabled. @@ -31069,7 +33841,7 @@ Default: Administrator. Accounts: Rename guest account -This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. +This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. @@ -31210,118 +33982,6 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l - - DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways - - - - - - - - Domain member: Digitally encrypt or sign secure channel data (always) - -This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: - -Domain member: Digitally encrypt secure channel data (when possible) -Domain member: Digitally sign secure channel data (when possible) - -Default: Enabled. - -Notes: - -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not. - - - - - - - - - - - text/plain - - - - - DomainMember_DigitallyEncryptSecureChannelDataWhenPossible - - - - - - - - Domain member: Digitally encrypt secure channel data (when possible) - -This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. - -Default: Enabled. - -Important - -There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted. - -Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains. - - - - - - - - - - - text/plain - - - - - DomainMember_DisableMachineAccountPasswordChanges - - - - - - - - Domain member: Disable machine account password changes - -Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. - -Default: Disabled. - -Notes - -This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions. -This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names. - - - - - - - - - - - text/plain - - - InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked @@ -31358,7 +34018,7 @@ Do not display user information (3) - Interactive logon: Don't display last signed-in + Interactive logon: Don't display last signed-in This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. If this policy is enabled, the username will not be shown. @@ -31388,7 +34048,7 @@ Default: Disabled. - Interactive logon: Don't display username at sign-in + Interactive logon: Don't display username at sign-in This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. If this policy is enabled, the username will not be shown. @@ -31422,7 +34082,7 @@ Default: Disabled. This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. -If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. +If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. @@ -31573,6 +34233,52 @@ On Windows Vista and above: For this setting to work, the Smart Card Removal Pol + + MicrosoftNetworkClient_DigitallySignCommunicationsAlways + + + + + + + + Microsoft network client: Digitally sign communications (always) + +This security setting determines whether packet signing is required by the SMB client component. + +The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. + +If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. + +Default: Disabled. + +Important + +For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). + +Notes + +All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. +For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. + + + + + + + + + + + text/plain + + + MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees @@ -31910,6 +34616,44 @@ This policy is supported on at least Windows Server 2016. + + NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM + + + + + + + + Network security: Allow Local System to use computer identity for NTLM + +This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. + +If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. + +If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. + +By default, this policy is enabled on Windows 7 and above. + +By default, this policy is disabled on Windows Vista. + +This policy is supported on at least Windows Vista or Windows Server 2008. + +Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. + + + + + + + + + + + text/plain + + + NetworkSecurity_AllowPKU2UAuthenticationRequests @@ -32021,6 +34765,41 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send + + NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients + + + + + + + + Network security: Minimum session security for NTLM SSP based (including secure RPC) clients + +This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: + +Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. +Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. + +Default: + +Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. + +Windows 7 and Windows Server 2008 R2: Require 128-bit encryption + + + + + + + + + + + text/plain + + + NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers @@ -32067,7 +34846,7 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication -This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. +This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. @@ -32101,15 +34880,15 @@ The naming format for servers on this exception list is the fully qualified doma This policy setting allows you to audit incoming NTLM traffic. -If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. +If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. -If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. +If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. -If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. +If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -32137,15 +34916,15 @@ Note: Audit events are recorded on this computer in the "Operational" Log locate This policy setting allows you to deny or allow incoming NTLM traffic. -If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. +If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. -If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. +If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. -If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. +If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -32173,15 +34952,15 @@ Note: Block events are recorded on this computer in the "Operational" Log locate This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. -If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. +If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. -If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. +If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. -If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. +If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -32274,9 +35053,9 @@ Default: Disabled. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. -• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. +• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. -• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. +• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. @@ -32308,15 +35087,15 @@ The options are: • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. +• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. -• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. -• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. @@ -32509,13 +35288,13 @@ The options are: User Account Control: Switch to the secure desktop when prompting for elevation -This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. +This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: • Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. -• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. +• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. @@ -32787,7 +35566,7 @@ The options are: - This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. + This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. @@ -33772,6 +36551,30 @@ The options are: + + AllowCrossDeviceClipboard + + + + + + + + Allows syncing of Clipboard across devices under the same Microsoft account. + + + + + + + + + + + text/plain + + + AllowInputPersonalization @@ -35365,7 +38168,7 @@ The options are: - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. @@ -35653,7 +38456,7 @@ The options are: - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -35677,7 +38480,7 @@ The options are: - Allows apps/system to publish 'User Activities' into ActivityFeed. + Allows apps/system to publish 'User Activities' into ActivityFeed. @@ -35701,7 +38504,7 @@ The options are: - Allows ActivityFeed to upload published 'User Activities'. + Allows ActivityFeed to upload published 'User Activities'. @@ -37237,6 +40040,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + RecoveryEnvironmentAuthentication + + + + + + + + This policy controls the requirement of Admin Authentication in RecoveryEnvironment. + + + + + + + + + + + text/plain + + + RequireDeviceEncryption @@ -38126,7 +40953,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. + Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. @@ -38174,7 +41001,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. + Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. @@ -38198,7 +41025,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Lock" from appearing in the user tile in the start menu. + Enabling this policy hides "Lock" from appearing in the user tile in the start menu. @@ -38294,7 +41121,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. + Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. @@ -38318,7 +41145,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. + Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. @@ -38342,7 +41169,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. + Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. @@ -38366,7 +41193,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Sleep" from appearing in the power button in the start menu. + Enabling this policy hides "Sleep" from appearing in the power button in the start menu. @@ -38390,7 +41217,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. + Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. @@ -38571,6 +41398,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + RemovableDiskDenyWriteAccess + + + + + + + + If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + + + + + + + + + + + text/plain + + + System @@ -38809,6 +41660,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + ConfigureMicrosoft365UploadEndpoint + + + + + + + + + + + + + + + + + + + text/plain + + + ConfigureTelemetryOptInChangeNotification @@ -38857,6 +41732,54 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + DisableDeviceDelete + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableDiagnosticDataViewer + + + + + + + + + + + + + + + + + + + text/plain + + + DisableEnterpriseAuthProxy @@ -38962,7 +41885,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. + This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. @@ -39032,7 +41955,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -39056,7 +41979,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -39080,7 +42003,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -39104,7 +42027,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -39128,7 +42051,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -39152,7 +42075,53 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + + + + + text/plain + + + + + + TaskManager + + + + + + + + + + + + + + + + + + + + + AllowEndTask + + + + + + + + This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled @@ -40071,6 +43040,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + AutoRestartDeadlinePeriodInDaysForFeatureUpdates + + + + + + + + + + + + + + + + + + + text/plain + + + AutoRestartNotificationSchedule @@ -40335,6 +43328,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + EngagedRestartDeadlineForFeatureUpdates + + + + + + + + + + + + + + + + + + + text/plain + + + EngagedRestartSnoozeSchedule @@ -40359,6 +43376,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + EngagedRestartSnoozeScheduleForFeatureUpdates + + + + + + + + + + + + + + + + + + + text/plain + + + EngagedRestartTransitionSchedule @@ -40383,6 +43424,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + EngagedRestartTransitionScheduleForFeatureUpdates + + + + + + + + + + + + + + + + + + + text/plain + + + ExcludeWUDriversInQualityUpdate @@ -40935,6 +44000,54 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + SetDisablePauseUXAccess + + + + + + + + + + + + + + + + + + + text/plain + + + + + SetDisableUXWUAccess + + + + + + + + + + + + + + + + + + + text/plain + + + SetEDURestart @@ -40959,6 +44072,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + UpdateNotificationKioskMode + + + + + + + + + + + + + + + + + + + text/plain + + + UpdateServiceUrl @@ -41038,7 +44175,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. + This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. @@ -41182,7 +44319,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. + This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. @@ -41254,7 +44391,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. + This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. @@ -41446,7 +44583,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. + Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that is being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. @@ -42035,6 +45172,30 @@ Because of these factors, users do not usually need this user right. Warning: If + + DisableClearTpmButton + + + + + + + + + + + + + + + + + + + text/plain + + + DisableDeviceSecurityUI @@ -42179,6 +45340,30 @@ Because of these factors, users do not usually need this user right. Warning: If + + DisableTpmFirmwareUpdateWarning + + + + + + + + + + + + + + + + + + + text/plain + + + DisableVirusUI @@ -42371,6 +45556,30 @@ Because of these factors, users do not usually need this user right. Warning: If + + HideWindowsSecurityNotificationAreaControl + + + + + + + + + + + + + + + + + + + text/plain + + + Phone @@ -42809,7 +46018,7 @@ Because of these factors, users do not usually need this user right. Warning: If This policy setting allows you to turn off projection to a PC - If you set it to 0, your PC isn't discoverable and can't be projected to + If you set it to 0, your PC isn't discoverable and can't be projected to If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. @@ -42835,7 +46044,7 @@ Because of these factors, users do not usually need this user right. Warning: If This policy setting allows you to turn off projection to a PC over infrastructure. - If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. + If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. @@ -42885,8 +46094,9 @@ Because of these factors, users do not usually need this user right. Warning: If This policy setting allows you to require a pin for pairing. - If you turn this on, the pairing ceremony for new devices will always require a PIN - If you turn it off or don't configure it, a pin isn't required for pairing. + If you set this to 0, a pin isn't required for pairing. + If you set this to 1, the pairing ceremony for new devices will always require a PIN. + If you set this to 2, all pairings will require PIN. @@ -43486,6 +46696,29 @@ Because of these factors, users do not usually need this user right. Warning: If LowestValueMostSecure + + LaunchAppAfterLogOn + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. + + + + + + + + + + + text/plain + + LastWrite + + MSIAllowUserControlOverInstall @@ -43623,6 +46856,62 @@ Because of these factors, users do not usually need this user right. Warning: If LowestValueMostSecure + + ScheduleForceRestartForUpdateFailures + + + + + + + + + + + + + + + + + text/plain + + LastWrite + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +]]> + + AppRuntime @@ -44542,6 +47831,79 @@ Because of these factors, users do not usually need this user right. Warning: If LowestValueMostSecure + + EnableFastFirstSignIn + + + + + 0 + Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts + + + + + + + + + + + text/plain + + + phone + LastWrite + + + + EnableWebSignIn + + + + + 0 + Specifies whether web-based sign in is allowed for logging in to Windows + + + + + + + + + + + text/plain + + + phone + LastWrite + + + + PreferredAadTenantDomainName + + + + + + Specifies the preferred domain among available domains in the AAD tenant. + + + + + + + + + + + text/plain + + LastWrite + + Autoplay @@ -44688,6 +48050,194 @@ Because of these factors, users do not usually need this user right. Warning: If + + BITS + + + + + + + + + + + + + + + + + + + BandwidthThrottlingEndTime + + + + + 17 + + + + + + + + + + + + text/plain + + + Bits.admx + BITS_BandwidthLimitSchedTo + Bits~AT~Network~BITS + BITS_MaxBandwidth + LastWrite + + + + BandwidthThrottlingStartTime + + + + + 8 + + + + + + + + + + + + text/plain + + + Bits.admx + BITS_BandwidthLimitSchedFrom + Bits~AT~Network~BITS + BITS_MaxBandwidth + LastWrite + + + + BandwidthThrottlingTransferRate + + + + + 1000 + + + + + + + + + + + + text/plain + + + Bits.admx + BITS_MaxTransferRateText + Bits~AT~Network~BITS + BITS_MaxBandwidth + LastWrite + + + + CostedNetworkBehaviorBackgroundPriority + + + + + 1 + + + + + + + + + + + + text/plain + + + Bits.admx + BITS_TransferPolicyNormalPriorityValue + Bits~AT~Network~BITS + BITS_SetTransferPolicyOnCostedNetwork + LastWrite + + + + CostedNetworkBehaviorForegroundPriority + + + + + 1 + + + + + + + + + + + + text/plain + + + Bits.admx + BITS_TransferPolicyForegroundPriorityValue + Bits~AT~Network~BITS + BITS_SetTransferPolicyOnCostedNetwork + LastWrite + + + + JobInactivityTimeout + + + + + 90 + + + + + + + + + + + + text/plain + + + Bits.admx + BITS_Job_Timeout_Time + Bits~AT~Network~BITS + BITS_Job_Timeout + LastWrite + + + Bluetooth @@ -45140,6 +48690,37 @@ Because of these factors, users do not usually need this user right. Warning: If HighestValueMostSecure + + AllowFullScreenMode + + + + + 1 + With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. + +If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. + +If disabled, full-screen mode is unavailable for use in Microsoft Edge. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowFullScreenMode + LowestValueMostSecure + + AllowInPrivate @@ -45174,7 +48755,7 @@ Because of these factors, users do not usually need this user right. Warning: If 1 - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. + This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. @@ -45253,6 +48834,97 @@ If you disable this setting, the Microsoft Compatibility List will not be used d LowestValueMostSecure + + AllowPrelaunch + + + + + 1 + Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowPrelaunch + LowestValueMostSecure + + + + AllowPrinting + + + + + 1 + With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. + +If enabled, printing is allowed. + +If disabled, printing is not allowed. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowPrinting + LowestValueMostSecure + + + + AllowSavingHistory + + + + + 1 + Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. + +If enabled or not configured, the browsing history is saved and visible in the History pane. + +If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowSavingHistory + LowestValueMostSecure + + AllowSearchEngineCustomization @@ -45312,6 +48984,34 @@ This policy will only apply on domain joined machines or when the device is MDM LowestValueMostSecure + + AllowSideloadingOfExtensions + + + + + 1 + This setting lets you decide whether employees can sideload extensions in Microsoft Edge. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowSideloadingOfExtensions + LowestValueMostSecure + + AllowSmartScreen @@ -45339,6 +49039,67 @@ This policy will only apply on domain joined machines or when the device is MDM LowestValueMostSecure + + AllowTabPreloading + + + + + 1 + Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowTabPreloading + LowestValueMostSecure + + + + AllowWebContentOnNewTabPage + + + + + 1 + This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. + +If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. + +If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. + +If you don't configure this setting, employees can choose how new tabs appears. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowWebContentOnNewTabPage + LowestValueMostSecure + + AlwaysEnableBooksLibrary @@ -45405,7 +49166,7 @@ This policy will only apply on domain joined machines or when the device is MDM If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. +If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. @@ -45428,18 +49189,99 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - DisableLockdownOfStartPages + ConfigureFavoritesBar + + + + + + The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. + +If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. + +If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. + +If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureFavoritesBar + LowestValueMostSecure + + + + ConfigureHomeButton 0 - Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect. + The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. -Note: This policy has no effect when Browser/HomePages is not configured. +By default, this policy is disabled or not configured and clicking the home button loads the default Start page. -Important -This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). +When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. + +If Enabled AND: +- Show home button & set to Start page is selected, clicking the home button loads the Start page. +- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. +- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. +- Hide home button is selected, the home button is hidden in Microsoft Edge. + +Default setting: Disabled or not configured +Related policies: +- Set Home Button URL +- Unlock Home Button + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + ConfigureHomeButtonDropdown + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureHomeButton + LastWrite + + + + ConfigureKioskMode + + + + + 0 + Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. + +You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). + +If enabled and set to 0 (Default or not configured): +- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. +- If it’s one of many apps, Microsoft Edge runs as normal. +If enabled and set to 1: +- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. +- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. @@ -45455,6 +49297,152 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo phone MicrosoftEdge.admx + ConfigureKioskMode_TextBox + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureKioskMode + LastWrite + + + + ConfigureKioskResetAfterIdleTimeout + + + + + 5 + You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. + +If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. + +If you set this policy to 0, Microsoft Edge does not use an idle timer. + +If disabled or not configured, the default value is 5 minutes. + +If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + ConfigureKioskResetAfterIdleTimeout_TextBox + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureKioskResetAfterIdleTimeout + LastWrite + + + + ConfigureOpenMicrosoftEdgeWith + + + + + 3 + You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. + +If enabled, you can choose one of the following options: +- Start page: the Start page loads ignoring the Configure Start Pages policy. +- New tab page: the New tab page loads ignoring the Configure Start Pages policy. +- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. +- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. + +When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. + +If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. + +Default setting: A specific page or pages (default) +Related policies: +-Disable Lockdown of Start Pages +-Configure Start Pages + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + ConfigureOpenEdgeWithListBox + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureOpenEdgeWith + LastWrite + + + + ConfigureTelemetryForMicrosoft365Analytics + + + + + 0 + Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + ZonesListBox + MicrosoftEdge~AT~WindowsComponents~DataCollectionAndPreviewBuilds + ConfigureTelemetryForMicrosoft365Analytics + LowestValueMostSecure + + + + DisableLockdownOfStartPages + + + + + 0 + You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. + +If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. + +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Start Pages +- Configure Open Microsoft Edge With + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + DisableLockdownOfStartPagesListBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge DisableLockdownOfStartPages LowestValueMostSecure @@ -45563,6 +49551,34 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo LastWrite + + ForceEnabledExtensions + + + + + + This setting lets you decide which extensions should be always enabled. + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + ForceEnabledExtensions_List + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ForceEnabledExtensions + LastWrite + + HomePages @@ -45570,12 +49586,24 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo - Configure the Start page URLs for your employees. -Example: -If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. -Encapsulate each string with greater than and less than characters like any other XML tag. + When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. -Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. +If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: + + <support.contoso.com><support.microsoft.com> + +If disabled or not configured, the webpages specified in App settings loads as the default Start pages. + +Version 1703 or later: +If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. + +Version 1809: +If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. + +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Open Microsoft Edge With +- Disable Lockdown of Start Pages @@ -45605,12 +49633,12 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, you ca 0 This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. +If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. +If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. @@ -45637,7 +49665,7 @@ If you disable or don't configure this setting (default), employees can add, imp 0 - Prevent access to the about:flags page in Microsoft Edge. + Prevent access to the about:flags page in Microsoft Edge. @@ -45657,6 +49685,37 @@ If you disable or don't configure this setting (default), employees can add, imp HighestValueMostSecure + + PreventCertErrorOverrides + + + + + 0 + Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. + +If enabled, overriding certificate errors are not allowed. + +If disabled or not configured, overriding certificate errors are allowed. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + PreventCertErrorOverrides + HighestValueMostSecure + + PreventFirstRunPage @@ -45723,7 +49782,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Don't allow Windows Defender SmartScreen warning overrides + Don't allow Windows Defender SmartScreen warning overrides @@ -45750,7 +49809,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Don't allow Windows Defender SmartScreen warning overrides for unverified files. + Don't allow Windows Defender SmartScreen warning overrides for unverified files. @@ -45770,34 +49829,6 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on HighestValueMostSecure - - PreventTabPreloading - - - - - 0 - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventTabPreloading - HighestValueMostSecure - - PreventUsingLocalHostIPAddressForWebRTC @@ -45834,12 +49865,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. +If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. +If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. @@ -45920,6 +49951,74 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + SetHomeButtonURL + + + + + + The home button can be configured to load a custom URL when your user clicks the home button. + +If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. + +Default setting: Blank or not configured +Related policy: Configure Home Button + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + SetHomeButtonURLPrompt + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + SetHomeButtonURL + LastWrite + + + + SetNewTabPageURL + + + + + + You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. + +If enabled, you can set the default New Tab page URL. + +If disabled or not configured, the default Microsoft Edge new tab page is used. + +Default setting: Disabled or not configured +Related policy: Allow web content on New Tab page + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + SetNewTabPageURLPrompt + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + SetNewTabPageURL + LastWrite + + ShowMessageWhenOpeningSitesInInternetExplorer @@ -45927,7 +50026,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Show message when opening sites in Internet Explorer + You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. + +If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. + +If disabled or not configured, the default app behavior occurs and no additional page displays. + +Default setting: Disabled or not configured +Related policies: +-Configure the Enterprise Mode Site List +-Send all intranet sites to Internet Explorer 11 @@ -45940,7 +50048,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain - + phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge @@ -45976,6 +50084,43 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LowestValueMostSecure + + UnlockHomeButton + + + + + 0 + By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. + +If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. + +If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. + +Default setting: Disabled or not configured +Related policy: +-Configure Home Button +-Set Home Button URL + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + UnlockHomeButton + LowestValueMostSecure + + UseSharedFolderForBooks @@ -46641,7 +50786,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC + If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. @@ -46654,7 +50799,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain - + LastWrite @@ -47549,6 +51694,35 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + CheckForSignaturesBeforeRunningScan + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + WindowsDefender.admx + CheckForSignaturesBeforeRunningScan + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan + CheckForSignaturesBeforeRunningScan + HighestValueMostSecure + + CloudBlockLevel @@ -47692,6 +51866,64 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + DisableCatchupFullScan + + + + + 1 + + + + + + + + + + + + text/plain + + + phone + WindowsDefender.admx + Scan_DisableCatchupFullScan + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan + Scan_DisableCatchupFullScan + LastWrite + + + + DisableCatchupQuickScan + + + + + 1 + + + + + + + + + + + + text/plain + + + phone + WindowsDefender.admx + Scan_DisableCatchupQuickScan + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan + Scan_DisableCatchupQuickScan + LastWrite + + EnableControlledFolderAccess @@ -47721,6 +51953,35 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + EnableLowCPUPriority + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + WindowsDefender.admx + Scan_LowCpuPriority + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan + Scan_LowCpuPriority + LastWrite + + EnableNetworkProtection @@ -47856,6 +52117,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on phone + WindowsDefender.admx + Root_PUAProtection + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender + Root_PUAProtection LastWrite @@ -48004,6 +52269,62 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + SignatureUpdateFallbackOrder + + + + + + + + + + + + + + + + + text/plain + + phone + WindowsDefender.admx + SignatureUpdate_FallbackOrder + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate + SignatureUpdate_FallbackOrder + LastWrite + + + + SignatureUpdateFileSharesSources + + + + + + + + + + + + + + + + + text/plain + + phone + WindowsDefender.admx + SignatureUpdate_DefinitionUpdateFileSharesSources + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate + SignatureUpdate_DefinitionUpdateFileSharesSources + LastWrite + + SignatureUpdateInterval @@ -48166,6 +52487,33 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LowestValueMostSecure + + DOCacheHost + + + + + + + + + + + + + + + + + text/plain + + DeliveryOptimization.admx + CacheHost + DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat + CacheHost + LastWrite + + DODelayBackgroundDownloadFromHttp @@ -48662,6 +53010,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on phone + DeliveryOptimization.admx + PercentageMaxDownloadBandwidth + DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat + PercentageMaxDownloadBandwidth LastWrite @@ -48865,6 +53217,35 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + EnableSystemGuard + + + + + 0 + Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. + + + + + + + + + + + text/plain + + + phone + DeviceGuard.admx + SystemGuardDrop + DeviceGuard~AT~System~DeviceGuardCategory + VirtualizationBasedSecurity + LowestValueMostSecureZeroHasNoLimits + + EnableVirtualizationBasedSecurity @@ -48971,6 +53352,114 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + AllowInstallationOfMatchingDeviceIDs + + + + + + + + + + + + + + + + + text/plain + + phone + deviceinstallation.admx + DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category + DeviceInstall_IDs_Allow + LastWrite + + + + AllowInstallationOfMatchingDeviceSetupClasses + + + + + + + + + + + + + + + + + text/plain + + phone + deviceinstallation.admx + DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category + DeviceInstall_Classes_Allow + LastWrite + + + + PreventDeviceMetadataFromNetwork + + + + + + + + + + + + + + + + + text/plain + + phone + DeviceSetup.admx + DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category + DeviceMetadata_PreventDeviceMetadataFromNetwork + LastWrite + + + + PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + + + + + + + + + + + + + + + + + text/plain + + phone + deviceinstallation.admx + DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category + DeviceInstall_Unspecified_Deny + LastWrite + + PreventInstallationOfMatchingDeviceIDs @@ -49653,6 +54142,53 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + DmaGuard + + + + + + + + + + + + + + + + + + + DeviceEnumerationPolicy + + + + + 1 + + + + + + + + + + + + text/plain + + + dmaguard.admx + dmaguard~AT~System~DmaGuard + DmaGuardEnumerationPolicy + LowestValueMostSecure + + + ErrorReporting @@ -49955,6 +54491,33 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + AllowClipboardHistory + + + + + 1 + Allows history of clipboard items to be stored in memory. + + + + + + + + + + + text/plain + + + OSPolicy.admx + OSPolicy~AT~System~PolicyPolicies + AllowClipboardHistory + LowestValueMostSecure + + AllowCopyPaste @@ -50258,7 +54821,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - 0 + 1 @@ -50335,6 +54898,65 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor HighestValueMostSecure + + DoNotSyncBrowserSetting + + + + + 0 + You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. + Related policy: PreventUsersFromTurningOnBrowserSyncing + 0 (default) = allow syncing, 2 = disable syncing + + + + + + + + + + + text/plain + + + SettingSync.admx + SettingSync~AT~WindowsComponents~SettingSync + DisableWebBrowserSettingSync + HighestValueMostSecure + + + + PreventUsersFromTurningOnBrowserSyncing + + + + + 1 + You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. + Related policy: DoNotSyncBrowserSetting + 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing + + + + + + + + + + + text/plain + + + SettingSync.admx + CheckBox_UserOverride + SettingSync~AT~WindowsComponents~SettingSync + DisableWebBrowserSettingSync + HighestValueMostSecure + + ExploitGuard @@ -57284,6 +61906,32 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor LastWrite + + UPNNameHints + + + + + + Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. + + This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. + + + + + + + + + + + text/plain + + phone + LastWrite + + KioskBrowser @@ -57383,7 +62031,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor 0 - Enable/disable kiosk browser's end session button. + Enable/disable kiosk browser's end session button. @@ -57408,7 +62056,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor 0 - Enable/disable kiosk browser's home button. + Enable/disable kiosk browser's home button. @@ -57433,7 +62081,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor 0 - Enable/disable kiosk browser's navigation buttons (forward/back). + Enable/disable kiosk browser's navigation buttons (forward/back). @@ -57628,9 +62276,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor 0 This policy setting prevents users from adding new Microsoft accounts on this computer. -If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. +If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. -If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. +If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. @@ -57728,7 +62376,7 @@ Note: If the Guest account is disabled and the security option Network Access: S 1 Accounts: Limit local account use of blank passwords to console logon only -This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. +This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Enabled. @@ -57800,7 +62448,7 @@ Default: Administrator. Guest Accounts: Rename guest account -This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. +This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. @@ -57955,127 +62603,6 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l LastWrite - - DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways - - - - - 1 - Domain member: Digitally encrypt or sign secure channel data (always) - -This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: - -Domain member: Digitally encrypt secure channel data (when possible) -Domain member: Digitally sign secure channel data (when possible) - -Default: Enabled. - -Notes: - -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Domain member: Digitally encrypt or sign secure channel data (always) - LastWrite - - - - DomainMember_DigitallyEncryptSecureChannelDataWhenPossible - - - - - 1 - Domain member: Digitally encrypt secure channel data (when possible) - -This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. - -Default: Enabled. - -Important - -There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted. - -Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Domain member: Digitally encrypt secure channel data (when possible) - LastWrite - - - - DomainMember_DisableMachineAccountPasswordChanges - - - - - 0 - Domain member: Disable machine account password changes - -Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. - -Default: Disabled. - -Notes - -This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions. -This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Domain member: Disable machine account password changes - LastWrite - - InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked @@ -58113,7 +62640,7 @@ Do not display user information (3) 0 - Interactive logon: Don't display last signed-in + Interactive logon: Don't display last signed-in This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. If this policy is enabled, the username will not be shown. @@ -58146,7 +62673,7 @@ Default: Disabled. 1 - Interactive logon: Don't display username at sign-in + Interactive logon: Don't display username at sign-in This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. If this policy is enabled, the username will not be shown. @@ -58183,7 +62710,7 @@ Default: Disabled. This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. -If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. +If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. @@ -58349,6 +62876,55 @@ On Windows Vista and above: For this setting to work, the Smart Card Removal Pol LastWrite + + MicrosoftNetworkClient_DigitallySignCommunicationsAlways + + + + + 0 + Microsoft network client: Digitally sign communications (always) + +This security setting determines whether packet signing is required by the SMB client component. + +The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. + +If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. + +Default: Disabled. + +Important + +For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). + +Notes + +All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. +For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Local Policies~Security Options + Microsoft network client: Digitally sign communications (always) + LastWrite + + MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees @@ -58712,6 +63288,47 @@ This policy is supported on at least Windows Server 2016. LastWrite + + NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM + + + + + 1 + Network security: Allow Local System to use computer identity for NTLM + +This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. + +If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. + +If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. + +By default, this policy is enabled on Windows 7 and above. + +By default, this policy is disabled on Windows Vista. + +This policy is supported on at least Windows Vista or Windows Server 2008. + +Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Local Policies~Security Options + Network security: Allow Local System to use computer identity for NTLM + LastWrite + + NetworkSecurity_AllowPKU2UAuthenticationRequests @@ -58832,6 +63449,44 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send HighestValueMostSecure + + NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients + + + + + 0 + Network security: Minimum session security for NTLM SSP based (including secure RPC) clients + +This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: + +Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. +Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. + +Default: + +Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. + +Windows 7 and Windows Server 2008 R2: Require 128-bit encryption + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Local Policies~Security Options + Network security: Minimum session security for NTLM SSP based (including secure RPC) clients + HighestValueMostSecure + + NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers @@ -58879,7 +63534,7 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication -This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. +This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. @@ -58915,15 +63570,15 @@ The naming format for servers on this exception list is the fully qualified doma This policy setting allows you to audit incoming NTLM traffic. -If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. +If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. -If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. +If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. -If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. +If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -58954,15 +63609,15 @@ Note: Audit events are recorded on this computer in the "Operational" Log locate This policy setting allows you to deny or allow incoming NTLM traffic. -If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. +If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. -If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. +If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. -If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. +If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -58993,15 +63648,15 @@ Note: Block events are recorded on this computer in the "Operational" Log locate This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. -If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. +If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. -If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. +If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. -If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. +If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -59103,9 +63758,9 @@ Default: Disabled. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. -• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. +• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. -• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. +• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. @@ -59140,15 +63795,15 @@ The options are: • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. +• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. -• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. -• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. @@ -59359,13 +64014,13 @@ The options are: 1 User Account Control: Switch to the secure desktop when prompting for elevation -This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. +This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: • Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. -• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. +• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. @@ -59648,7 +64303,7 @@ The options are: 1 - This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. + This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. @@ -60715,6 +65370,33 @@ The options are: LowestValueMostSecure + + AllowCrossDeviceClipboard + + + + + 1 + Allows syncing of Clipboard across devices under the same Microsoft account. + + + + + + + + + + + text/plain + + + OSPolicy.admx + OSPolicy~AT~System~PolicyPolicies + AllowCrossDeviceClipboard + LowestValueMostSecure + + AllowInputPersonalization @@ -62552,7 +67234,7 @@ The options are: - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. @@ -62888,7 +67570,7 @@ The options are: - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -62916,7 +67598,7 @@ The options are: 1 - Allows apps/system to publish 'User Activities' into ActivityFeed. + Allows apps/system to publish 'User Activities' into ActivityFeed. @@ -62943,7 +67625,7 @@ The options are: 1 - Allows ActivityFeed to upload published 'User Activities'. + Allows ActivityFeed to upload published 'User Activities'. @@ -64024,6 +68706,39 @@ Caution: If a Restricted Groups policy is applied, any current member not on the phone LastWrite + + + + + + + + + + + + Restricted Group Member + + + + + + + + + + + + + + + Restricted Group + + + + + + ]]> @@ -64613,6 +69328,31 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + RecoveryEnvironmentAuthentication + + + + + 0 + This policy controls the requirement of Admin Authentication in RecoveryEnvironment. + + + + + + + + + + + text/plain + + + phone + LastWrite + + RequireDeviceEncryption @@ -65502,6 +70242,9 @@ Caution: If a Restricted Groups policy is applied, any current member not on the phone + StartMenu.admx + StartMenu~AT~StartMenu + ForceStartSize LastWrite @@ -65537,7 +70280,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. + Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. @@ -65576,6 +70319,9 @@ Caution: If a Restricted Groups policy is applied, any current member not on the phone + StartMenu.admx + StartMenu~AT~StartMenu + NoFrequentUsedPrograms LowestValueMostSecure @@ -65586,7 +70332,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. + Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. @@ -65610,7 +70356,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Lock" from appearing in the user tile in the start menu. + Enabling this policy hides "Lock" from appearing in the user tile in the start menu. @@ -65673,6 +70419,9 @@ Caution: If a Restricted Groups policy is applied, any current member not on the phone + StartMenu.admx + StartMenu~AT~StartMenu + NoRecentDocsHistory LowestValueMostSecure @@ -65711,7 +70460,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. + Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. @@ -65735,7 +70484,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. + Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. @@ -65759,7 +70508,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. + Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. @@ -65783,7 +70532,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Sleep" from appearing in the power button in the start menu. + Enabling this policy hides "Sleep" from appearing in the power button in the start menu. @@ -65807,7 +70556,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. + Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. @@ -65999,6 +70748,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + RemovableDiskDenyWriteAccess + + + + + 0 + If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + + + + + + + + + + + text/plain + + + RemovableStorage.admx + RemovableDisks_DenyWrite_Access_2 + RemovableStorage~AT~System~DeviceAccess + RemovableDisks_DenyWrite_Access_2 + HighestValueMostSecure + + System @@ -66251,6 +71028,33 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + ConfigureMicrosoft365UploadEndpoint + + + + + + + + + + + + + + + + + text/plain + + DataCollection.admx + ConfigureMicrosoft365UploadEndpoint + DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds + ConfigureMicrosoft365UploadEndpoint + LastWrite + + ConfigureTelemetryOptInChangeNotification @@ -66307,6 +71111,62 @@ Caution: If a Restricted Groups policy is applied, any current member not on the HighestValueMostSecure + + DisableDeviceDelete + + + + + 0 + + + + + + + + + + + + text/plain + + + DataCollection.admx + DisableDeviceDelete + DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds + DisableDeviceDelete + HighestValueMostSecure + + + + DisableDiagnosticDataViewer + + + + + 0 + + + + + + + + + + + + text/plain + + + DataCollection.admx + DisableDiagnosticDataViewer + DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds + DisableDiagnosticDataViewer + HighestValueMostSecure + + DisableEnterpriseAuthProxy @@ -66420,7 +71280,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. + This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. @@ -66494,8 +71354,8 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 0 - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + 3 + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -66521,8 +71381,8 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 0 - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + 3 + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -66548,8 +71408,8 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 0 - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + 3 + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -66575,8 +71435,8 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 0 - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + 3 + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -66602,8 +71462,8 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 0 - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + 3 + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -66629,8 +71489,8 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 0 - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + 3 + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -66651,6 +71511,50 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + TaskManager + + + + + + + + + + + + + + + + + + + AllowEndTask + + + + + 1 + This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled + + + + + + + + + + + text/plain + + + HighestValueMostSecure + + + TaskScheduler @@ -67438,7 +72342,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 2 + 6 @@ -67452,7 +72356,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the text/plain - + WindowsUpdate.admx AutoUpdateMode WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat @@ -67595,6 +72499,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + AutoRestartDeadlinePeriodInDaysForFeatureUpdates + + + + + 7 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + AutoRestartDeadlineForFeatureUpdates + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + AutoRestartDeadline + LastWrite + + AutoRestartNotificationSchedule @@ -67898,6 +72830,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + EngagedRestartDeadlineForFeatureUpdates + + + + + 14 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + EngagedRestartDeadlineForFeatureUpdates + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + EngagedRestartTransitionSchedule + LastWrite + + EngagedRestartSnoozeSchedule @@ -67926,6 +72886,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + EngagedRestartSnoozeScheduleForFeatureUpdates + + + + + 3 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + EngagedRestartSnoozeScheduleForFeatureUpdates + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + EngagedRestartTransitionSchedule + LastWrite + + EngagedRestartTransitionSchedule @@ -67954,6 +72942,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + EngagedRestartTransitionScheduleForFeatureUpdates + + + + + 7 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + EngagedRestartTransitionScheduleForFeatureUpdates + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + EngagedRestartTransitionSchedule + LastWrite + + ExcludeWUDriversInQualityUpdate @@ -68579,6 +73595,60 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + SetDisablePauseUXAccess + + + + + 0 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + SetDisablePauseUXAccess + LastWrite + + + + SetDisableUXWUAccess + + + + + 0 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + SetDisableUXWUAccess + LastWrite + + SetEDURestart @@ -68606,6 +73676,33 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + UpdateNotificationKioskMode + + + + + 0 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + UpdateNotificationKioskMode + LastWrite + + UpdateServiceUrl @@ -68688,7 +73785,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. + This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. @@ -68850,7 +73947,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. + This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. @@ -68931,7 +74028,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. + This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. @@ -69147,7 +74244,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. + Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that is being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. @@ -69789,6 +74886,34 @@ Because of these factors, users do not usually need this user right. Warning: If LastWrite + + DisableClearTpmButton + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + WindowsDefenderSecurityCenter.admx + WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity + DeviceSecurity_DisableClearTpmButton + LastWrite + + DisableDeviceSecurityUI @@ -69957,6 +75082,34 @@ Because of these factors, users do not usually need this user right. Warning: If LastWrite + + DisableTpmFirmwareUpdateWarning + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + WindowsDefenderSecurityCenter.admx + WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity + DeviceSecurity_DisableTpmFirmwareUpdateWarning + LastWrite + + DisableVirusUI @@ -70181,6 +75334,34 @@ Because of these factors, users do not usually need this user right. Warning: If LastWrite + + HideWindowsSecurityNotificationAreaControl + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + WindowsDefenderSecurityCenter.admx + WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Systray + Systray_HideSystray + LastWrite + + Phone @@ -70644,7 +75825,7 @@ Because of these factors, users do not usually need this user right. Warning: If 1 This policy setting allows you to turn off projection to a PC - If you set it to 0, your PC isn't discoverable and can't be projected to + If you set it to 0, your PC isn't discoverable and can't be projected to If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. @@ -70674,7 +75855,7 @@ Because of these factors, users do not usually need this user right. Warning: If 1 This policy setting allows you to turn off projection to a PC over infrastructure. - If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. + If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. @@ -70724,8 +75905,9 @@ Because of these factors, users do not usually need this user right. Warning: If 0 This policy setting allows you to require a pin for pairing. - If you turn this on, the pairing ceremony for new devices will always require a PIN - If you turn it off or don't configure it, a pin isn't required for pairing. + If you set this to 0, a pin isn't required for pairing. + If you set this to 1, the pairing ceremony for new devices will always require a PIN. + If you set this to 2, all pairings will require PIN. @@ -70738,15 +75920,15 @@ Because of these factors, users do not usually need this user right. Warning: If text/plain - + WirelessDisplay.admx WirelessDisplay~AT~WindowsComponents~Connect RequirePinForPairing - LowestValueMostSecure + LastWrite -``` \ No newline at end of file +```