diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index b2ec1085e2..7b6088c9a0 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -69,6 +69,8 @@ This policy allows an administrator to set default file type and protocol associ +**Example**: + To create the SyncML, follow these steps:
  1. Install a few apps and change your defaults.
    2. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 65e5e7915b..42280b4c3e 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,930 +1,1133 @@ --- -title: Policy CSP - ApplicationManagement -description: Learn about various Policy configuration service providers (CSP) - ApplicationManagement, including SyncML, for Windows 10. +title: ApplicationManagement Policy CSP +description: Learn more about the ApplicationManagement Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/09/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 02/11/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ApplicationManagement -
    + + + - -## ApplicationManagement policies + +## AllowAllTrustedApps -
    -
    - ApplicationManagement/AllowAutomaticAppArchiving -
    -
    - ApplicationManagement/AllowAllTrustedApps -
    -
    - ApplicationManagement/AllowAppStoreAutoUpdate -
    -
    - ApplicationManagement/AllowDeveloperUnlock -
    -
    - ApplicationManagement/AllowGameDVR -
    -
    - ApplicationManagement/AllowSharedUserAppData -
    -
    - ApplicationManagement/BlockNonAdminUserInstall -
    -
    - ApplicationManagement/DisableStoreOriginatedApps -
    -
    - ApplicationManagement/LaunchAppAfterLogOn -
    -
    - ApplicationManagement/MSIAllowUserControlOverInstall -
    -
    - ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges -
    -
    - ApplicationManagement/RequirePrivateStoreOnly -
    -
    - ApplicationManagement/RestrictAppDataToSystemVolume -
    -
    - ApplicationManagement/RestrictAppToSystemVolume -
    -
    - ApplicationManagement/ScheduleForceRestartForUpdateFailures -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps +``` + -
    + + +This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. - -**ApplicationManagement/AllowAutomaticAppArchiving** +If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer). - +If you disable or do not configure this policy setting, you cannot install LOB or developer-signed Windows Store apps. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + -> [!div class = "checklist"] -> * Device -> * User + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Explicit deny. | +| 1 | Explicit allow unlock. | +| 65535 (Default) | Not configured. | + - - + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AppxDeploymentAllowAllTrustedApps | +| Friendly Name | Allow all trusted apps to install | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | AllowAllTrustedApps | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## AllowAppStoreAutoUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAppStoreAutoUpdate +``` + + + + +Specifies whether automatic update of apps from Microsoft Store are allowed. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 | Allowed. | +| 2 (Default) | Not configured. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAutoInstall | +| Friendly Name | Turn off Automatic Download and Install of updates | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | AutoDownload | +| ADMX File Name | WindowsStore.admx | + + + + + + + + + +## AllowAutomaticAppArchiving + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAutomaticAppArchiving +``` + + + + This policy setting controls whether the system can archive infrequently used apps. -- If you enable this policy setting, then the system will periodically check for and archive infrequently used apps. -- If you disable this policy setting, then the system won't archive any apps. - -If you don't configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves. - - - -ADMX Info: -- GP Friendly name: *Allow all trusted apps to install* -- GP name: *AllowAutomaticAppArchiving* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: - -- 0 - Explicit disable. -- 1 - Explicit enable. -- 65535 (default) - Not configured. - - - - -
    - - -**ApplicationManagement/AllowAllTrustedApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether non Microsoft Store apps are allowed. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allow all trusted apps to install* -- GP name: *AppxDeploymentAllowAllTrustedApps* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: - -- 0 - Explicit deny. -- 1 - Explicit allow unlock. -- 65535 (default) - Not configured. - - - - -
    - - -**ApplicationManagement/AllowAppStoreAutoUpdate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether automatic update of apps from Microsoft Store is allowed. - - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Turn off Automatic Download and Install of updates* -- GP name: *DisableAutoInstall* -- GP path: *Windows Components/Store* -- GP ADMX file name: *WindowsStore.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**ApplicationManagement/AllowDeveloperUnlock** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether developer unlock is allowed. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allows development of Windows Store apps and installing them from an integrated development environment (IDE)* -- GP name: *AllowDevelopmentWithoutDevLicense* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: - -- 0 - Explicit deny. -- 1 - Explicit allow unlock. -- 65535 (default) - Not configured. - - - - -
    - - -**ApplicationManagement/AllowGameDVR** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - -Specifies whether DVR and broadcasting are allowed. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Enables or disables Windows Game Recording and Broadcasting* -- GP name: *AllowGameDVR* -- GP path: *Windows Components/Windows Game Recording and Broadcasting* -- GP ADMX file name: *GameDVR.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**ApplicationManagement/AllowSharedUserAppData** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -[!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../includes/allow-windows-app-to-share-data-users-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow a Windows app to share application data between users* -- GP name: *AllowSharedLocalAppData* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: - -- 0 (default) – Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. -- 1 – Allowed. Microsoft Edge downloads book files into a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. - -Most restricted value: 0 - - - -
    - - -**ApplicationManagement/BlockNonAdminUserInstall** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - - -Manages non-administrator users' ability to install Windows app packages. - -If you enable this policy, non-administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. - -If you disable or don't configure this policy, all users will be able to initiate installation of Windows app packages. - - - -ADMX Info: -- GP Friendly name: *Prevent non-admin users from installing packaged Windows apps* -- GP name: *BlockNonAdminUserInstall* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: -- 0 (default) - Disabled. All users will be able to initiate installation of Windows app packages. -- 1 - Enabled. Non-administrator users won't be able to initiate installation of Windows app packages. - - - - - - - - - -
    - - -**ApplicationManagement/DisableStoreOriginatedApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. - - - -ADMX Info: -- GP Friendly name: *Disable all apps from Microsoft Store* -- GP name: *DisableStoreApps* -- GP path: *Windows Components/Store* -- GP ADMX file name: *WindowsStore.admx* - - - -The following list shows the supported values: - -- 0 (default) – Enable launch of apps. -- 1 – Disable launch of apps. - - - - -
    - - -**ApplicationManagement/LaunchAppAfterLogOn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are launched after a sign in. This policy allows the IT admin to specify a list of applications that users can run after logging on to the device. - -For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task. Example of the declaration here: - -```xml - - - +If you enable this policy setting, then the system will periodically check for and archive infrequently used apps. + +If you disable this policy setting, then the system will not archive any apps. + +If you do not configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Explicit deny. | +| 1 | Explicit enable. | +| 65535 (Default) | Not configured. User's Choice. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowAutomaticAppArchiving | +| Friendly Name | Archive infrequently used apps | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | AllowAutomaticAppArchiving | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## AllowDeveloperUnlock + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowDeveloperUnlock ``` + + + + +Allows or denies development of Microsoft Store applications and installing them directly from an IDE. + +If you enable this setting and enable the "Allow all trusted apps to install" Group Policy, you can develop Microsoft Store apps and install them directly from an IDE. + +If you disable or do not configure this setting, you cannot develop Microsoft Store apps or install them directly from an IDE. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Explicit deny. | +| 1 | Explicit allow unlock. | +| 65535 (Default) | Not configured. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowDevelopmentWithoutDevLicense | +| Friendly Name | Allows development of Windows Store apps and installing them from an integrated development environment (IDE) | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | AllowDevelopmentWithoutDevLicense | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## AllowGameDVR + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowGameDVR +``` + + + + +Windows Game Recording and Broadcasting. + +This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed. +If the setting is enabled or not configured, then Recording and Broadcasting (streaming) will be allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowGameDVR | +| Friendly Name | Enables or disables Windows Game Recording and Broadcasting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Game Recording and Broadcasting | +| Registry Key Name | Software\Policies\Microsoft\Windows\GameDVR | +| Registry Value Name | AllowGameDVR | +| ADMX File Name | GameDVR.admx | + + + + + + + + + +## AllowSharedUserAppData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowSharedUserAppData +``` + + + + +Manages a Windows app's ability to share data between users who have installed the app. + +If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. + +If you disable this policy, a Windows app can't share app data with other instances of that app. If this policy was previously enabled, any previously shared app data will remain in the SharedLocal folder. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. | +| 1 | Allowed. Microsoft Edge downloads book files into a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSharedLocalAppData | +| Friendly Name | Allow a Windows app to share application data between users | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager | +| Registry Value Name | AllowSharedLocalAppData | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## AllowStore > [!NOTE] -> This policy only works on modern apps. +> This policy is deprecated and may be removed in a future release. - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowStore +``` + - - + + +This policy is deprecated + - - + + + -
    + +**Description framework properties**: - -**ApplicationManagement/MSIAllowUserControlOverInstall** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | Disallow. | +| 1 (Default) | Allow. | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## ApplicationRestrictions -
    +> [!NOTE] +> This policy is deprecated and may be removed in a future release. - - -Added in Windows 10, version 1803. This policy setting permits users to change installation options that typically are available only to system administrators. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ApplicationRestrictions +``` + + + + +This policy is deprecated + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## BlockNonAdminUserInstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/BlockNonAdminUserInstall +``` + + + + +Manages non-Administrator users' ability to install Windows app packages. + +If you enable this policy, non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. + +If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. All users will be able to initiate installation of Windows app packages. | +| 1 | Enabled. Non-administrator users will not be able to initiate installation of Windows app packages. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | BlockNonAdminUserInstall | +| Friendly Name | Prevent non-admin users from installing packaged Windows apps | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | BlockNonAdminUserInstall | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## DisableStoreOriginatedApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/DisableStoreOriginatedApps +``` + + + + +Disable turns off the launch of all apps from the Microsoft Store that came pre-installed or were downloaded. Apps will not be updated. Your Store will also be disabled. Enable turns all of it back on. This setting applies only to Enterprise and Education editions of Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enable launch of apps. | +| 1 | Disable launch of apps. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableStoreApps | +| Friendly Name | Disable all apps from Microsoft Store | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | DisableStoreApps | +| ADMX File Name | WindowsStore.admx | + + + + + + + + + +## LaunchAppAfterLogOn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/LaunchAppAfterLogOn +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + + + + + + + +## MSIAllowUserControlOverInstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAllowUserControlOverInstall +``` + + + + +This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation. -If you disable or don't configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. +If you disable or do not configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed. - - - -ADMX Info: -- GP Friendly name: *Allow user control over installs* -- GP name: *EnableUserControl* -- GP path: *Windows Components/Windows Installer* -- GP ADMX file name: *MSI.admx* - - - -This setting supports a range of values between 0 and 1. - - - - -
    - - -**ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -Added in Windows 10, version 1803. This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. - -If you enable this policy setting, privileges are extended to all programs. These privileges are reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. - -If you disable or don't configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator doesn't distribute or offer. - -> [!NOTE] -> This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. - -> [!CAUTION] -> Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure. - - - -ADMX Info: -- GP Friendly name: *Always install with elevated privileges* -- GP name: *AlwaysInstallElevated* -- GP path: *Windows Components/Windows Installer* -- GP ADMX file name: *MSI.admx* - - - -This setting supports a range of values between 0 and 1. - - - - -
    - - -**ApplicationManagement/RequirePrivateStoreOnly** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -Allows disabling of the retail catalog and only enables the Private store. - - -Most restricted value is 1. - - - -ADMX Info: -- GP Friendly name: *Only display the private store within the Microsoft Store* -- GP name: *RequirePrivateStoreOnly* -- GP path: *Windows Components/Store* -- GP ADMX file name: *WindowsStore.admx* - - - -The following list shows the supported values: - -- 0 (default) – Allow both public and Private store. -- 1 – Only Private store is enabled. - - - - -
    - - -**ApplicationManagement/RestrictAppDataToSystemVolume** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether application data is restricted to the system drive. - -Most restricted value is 1. - - - -ADMX Info: -- GP Friendly name: *Prevent users' app data from being stored on non-system volumes* -- GP name: *RestrictAppDataToSystemVolume* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: - -- 0 (default) – Not restricted. -- 1 – Restricted. - - - - -
    - - -**ApplicationManagement/RestrictAppToSystemVolume** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether the installation of applications is restricted to the system drive. - -Most restricted value is 1. - - - -ADMX Info: -- GP Friendly name: *Disable installing Windows apps on non-system volumes* -- GP name: *DisableDeploymentToNonSystemVolumes* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: - -- 0 (default) – Not restricted. -- 1 – Restricted. - - - - -
    - - -**ApplicationManagement/ScheduleForceRestartForUpdateFailures** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -To ensure apps are up-to-date, this policy allows the admins to set a recurring or one time date to restart apps whose update failed due to the app being in use allowing the update to be applied. - -Value type is string. - - - -> [!NOTE] -> The check for recurrence is done in a case sensitive manner. For instance the value needs to be “Daily” instead of “daily”. The wrong case will cause SmartRetry to fail to execute. - - - -Sample SyncML: - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ScheduleForceRestartForUpdateFailures - - - - xml - - - - - - - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableUserControl | +| Friendly Name | Allow user control over installs | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | EnableUserControl | +| ADMX File Name | MSI.admx | + + + + + + + + + +## MSIAlwaysInstallWithElevatedPrivileges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges ``` -XSD: + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges +``` + + + + +This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. + +If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. + +If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. + +Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. + +Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. + +**Note** that the User Configuration version of this policy setting is not guaranteed to be secure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AlwaysInstallElevated | +| Friendly Name | Always install with elevated privileges | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | AlwaysInstallElevated | +| ADMX File Name | MSI.admx | + + + + + + + + + +## RequirePrivateStoreOnly + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly +``` + + + + +Denies access to the retail catalog in the Microsoft Store, but displays the private store. + +If you enable this setting, users will not be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store. + +If you disable or don't configure this setting, users can access the retail catalog in the Microsoft Store. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow both public and Private store. | +| 1 | Only Private store is enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RequirePrivateStoreOnly | +| Friendly Name | Only display the private store within the Microsoft Store | +| Location | Computer and User Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | RequirePrivateStoreOnly | +| ADMX File Name | WindowsStore.admx | + + + + + + + + + +## RestrictAppDataToSystemVolume + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppDataToSystemVolume +``` + + + + +Prevent users' app data from moving to another location when an app is moved or installed on another location. + +If you enable this setting, all users' app data will stay on the system volume, regardless of where the app is installed. + +If you disable or do not configure this setting, then when an app is moved to a different volume, the users' app data will also move to this volume. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not restricted. | +| 1 | Restricted. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RestrictAppDataToSystemVolume | +| Friendly Name | Prevent users' app data from being stored on non-system volumes | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | RestrictAppDataToSystemVolume | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## RestrictAppToSystemVolume + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppToSystemVolume +``` + + + + +This policy setting allows you to manage installing Windows apps on additional volumes such as secondary partitions, USB drives, or SD cards. + +If you enable this setting, you can't move or install Windows apps on volumes that are not the system volume. + +If you disable or do not configure this setting, you can move or install Windows apps on other volumes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not restricted. | +| 1 | Restricted. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableDeploymentToNonSystemVolumes | +| Friendly Name | Disable installing Windows apps on non-system volumes | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | RestrictAppToSystemVolume | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## ScheduleForceRestartForUpdateFailures + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ScheduleForceRestartForUpdateFailures +``` + + + + +To ensure apps are up-to-date, this policy allows the admins to set a recurring or one time date to restart apps whose update failed due to the app being in use allowing the update to be applied. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +
    +
    + Expand to see schema XML ```xml - - - - + + + + - - - - - - - - + + + + + ``` - - +
    + - - -
    + + + + - + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md)