From 59409841d4b60142d7e698333b0a5668c9df68a1 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 28 Sep 2021 09:51:15 +0530 Subject: [PATCH 01/33] Updated --- .../mdm/policy-csp-applicationdefaults.md | 53 +- .../mdm/policy-csp-applicationmanagement.md | 134 +- .../mdm/policy-csp-appruntime.md | 43 +- .../mdm/policy-csp-appvirtualization.md | 772 +++++----- .../mdm/policy-csp-attachmentmanager.md | 100 +- .../client-management/mdm/policy-csp-audit.md | 1362 +++++++++++------ .../mdm/policy-csp-authentication.md | 206 ++- .../mdm/policy-csp-autoplay.md | 99 +- .../mdm/policy-csp-bitlocker.md | 30 +- .../client-management/mdm/policy-csp-bits.md | 130 +- .../mdm/policy-csp-bluetooth.md | 162 +- .../mdm/policy-csp-browser.md | 1201 ++++++++++----- .../mdm/policy-csp-camera.md | 30 +- .../mdm/policy-csp-cellular.md | 136 +- .../mdm/policy-csp-connectivity.md | 353 +++-- .../mdm/policy-csp-controlpolicyconflict.md | 32 +- .../mdm/policy-csp-credentialproviders.md | 94 +- 17 files changed, 3004 insertions(+), 1933 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 87aec967af..1a77467f47 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ApplicationDefaults -description: Learn about various Policy configuration service provider (CSP) - ApplicationDefaults, including SyncML, for Windows 10. +description: Learn about various Policy configuration service provider (CSP) - ApplicationDefaults, including SyncML, for Windows 10. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -39,28 +39,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
@@ -77,7 +83,7 @@ manager: dansimp -Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. +This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. @@ -155,28 +161,34 @@ Here is the SyncMl example: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -217,16 +229,7 @@ This setting supports a range of values between 0 and 1.
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 2843bc4633..d7d387430b 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ApplicationManagement -description: Learn about various Policy configuration service provider (CSP) - ApplicationManagement, including SyncML, for Windows 10. +description: Learn about various Policy configuration service provider (CSP) - ApplicationManagement, including SyncML, for Windows 10. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -73,28 +73,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Home✔️YesYes
Pro✔️YesYes
Business✔️YesYes
Enterprise✔️YesYes
Education✔️YesYes
@@ -142,28 +148,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
HomeNoNo
Pro✔️YesYes
Business✔️YesYes
Enterprise✔️YesYes
Education✔️YesYes
@@ -211,28 +223,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
HomeNoNo
Pro✔️YesYes
Business✔️YesYes
Enterprise✔️YesYes
Education✔️YesYes
@@ -280,28 +298,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
HomeNoNo
Pro✔️YesYes
Business✔️YesYes
Enterprise✔️YesYes
Education✔️YesYes
@@ -351,28 +375,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
HomeNoNo
Pro✔️YesYes
Business✔️YesYes
Enterprise✔️YesYes
Education✔️YesYes
@@ -419,30 +449,35 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + + -
Windows EditionSupported?EditionWindows 10Windows 11
HomeNoNo
ProNoNo
Business✔️8YesYes
Enterprise✔️8YesYes
Education✔️8YesYes
@@ -458,7 +493,7 @@ Most restricted value: 0 -Added in Windows 10, version 2004. + Manages non-administrator users' ability to install Windows app packages. @@ -1100,15 +1135,6 @@ XSD:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index 5985ed58aa..3d94d24363 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - AppRuntime +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,31 +42,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -81,12 +94,7 @@ If you enable this policy setting, Windows Store apps that typically require a M If you disable or do not configure this policy setting, users will need to sign in with a Microsoft account. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -99,16 +107,7 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index 08865e0dd4..01286d5cf3 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - AppVirtualization +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -117,31 +123,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -158,12 +171,7 @@ manager: dansimp This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -183,28 +191,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -224,12 +238,7 @@ ADMX Info: Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -249,28 +258,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -290,12 +305,7 @@ ADMX Info: Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -315,28 +325,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -356,12 +372,7 @@ ADMX Info: Enables scripts defined in the package manifest of configuration files that should run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -381,28 +392,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -422,12 +439,7 @@ ADMX Info: Enables a UX to display to the user when a publishing refresh is performed on the client. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -447,28 +459,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -498,12 +516,7 @@ Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -523,28 +536,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -564,12 +583,7 @@ ADMX Info: Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -589,28 +603,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -630,12 +650,7 @@ ADMX Info: Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -655,28 +670,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -696,12 +717,7 @@ ADMX Info: Specifies how new packages should be loaded automatically by App-V on a specific computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -721,28 +737,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -762,12 +784,7 @@ ADMX Info: Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -787,28 +804,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -828,12 +851,7 @@ ADMX Info: Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -853,28 +871,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -894,12 +918,7 @@ ADMX Info: Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -919,28 +938,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -978,12 +1003,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1003,28 +1023,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1062,12 +1088,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1087,28 +1108,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1146,12 +1173,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1171,28 +1193,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1230,12 +1258,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1255,28 +1278,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1314,12 +1343,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1339,28 +1363,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1380,12 +1410,7 @@ ADMX Info: Specifies the path to a valid certificate in the certificate store. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1405,28 +1430,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1446,12 +1477,7 @@ ADMX Info: This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1471,28 +1497,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1512,12 +1544,7 @@ ADMX Info: Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1537,28 +1564,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1578,12 +1611,7 @@ ADMX Info: Specifies directory where all new applications and updates will be installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1603,28 +1631,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1644,12 +1678,7 @@ ADMX Info: Overrides source location for downloading package content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1669,28 +1698,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1710,12 +1745,7 @@ ADMX Info: Specifies the number of seconds between attempts to reestablish a dropped session. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1735,28 +1765,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1776,12 +1812,7 @@ ADMX Info: Specifies the number of times to retry a dropped session. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1801,28 +1832,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1842,12 +1879,7 @@ ADMX Info: Specifies that streamed package contents will be not be saved to the local hard disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1867,28 +1899,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1908,12 +1946,7 @@ ADMX Info: If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1933,28 +1966,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1974,12 +2013,7 @@ ADMX Info: Verifies Server certificate revocation status before streaming using HTTPS. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1999,28 +2033,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -2040,12 +2080,7 @@ ADMX Info: Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc.). Only processes whose full path matches one of these items can use virtual components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2058,16 +2093,7 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index aa15e81d84..227cc1205e 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -14,6 +14,13 @@ manager: dansimp # Policy CSP - AttachmentManager +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
@@ -42,31 +49,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -89,12 +103,7 @@ If you disable this policy setting, Windows marks file attachments with their zo If you do not configure this policy setting, Windows marks file attachments with their zone information. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -114,31 +123,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -161,12 +177,7 @@ If you disable this policy setting, Windows shows the check box and Unblock butt If you do not configure this policy setting, Windows hides the check box and Unblock button. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -186,31 +197,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -233,12 +251,7 @@ If you disable this policy setting, Windows does not call the registered antivir If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -251,16 +264,7 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 5d063b5378..cdfff2c484 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -206,31 +206,38 @@ ms.date: 09/27/2019 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -244,7 +251,7 @@ ms.date: 09/27/2019 -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. +This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. @@ -283,31 +290,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -321,7 +335,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. +This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information cannot fit in a single security audit event. @@ -357,31 +371,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -395,7 +416,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. @@ -433,31 +454,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -471,7 +499,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. @@ -508,31 +536,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -546,7 +581,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. @@ -582,31 +617,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -620,7 +662,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. +This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. If you do not configure this policy setting, no audit event is generated when a logon session is closed. @@ -657,31 +699,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -695,7 +744,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by user account logon attempts on the computer. +This policy setting allows you to audit events generated by user account logon attempts on the computer. Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: - Successful logon attempts. @@ -735,31 +784,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -773,7 +829,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. +This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. If you do not configure this policy settings, IAS and NAP user access requests are not audited. @@ -809,31 +865,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -889,31 +952,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -927,7 +997,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by special logons, such as the following: +This policy setting allows you to audit events generated by special logons, such as the following: - The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. - A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](/windows/security/threat-protection/auditing/audit-special-logon). @@ -963,31 +1033,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1001,7 +1078,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. +This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. @@ -1039,31 +1116,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1077,7 +1161,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by validation tests on user account logon credentials. +This policy setting allows you to audit events generated by validation tests on user account logon credentials. Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. @@ -1113,31 +1197,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1151,7 +1242,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. +This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. @@ -1188,31 +1279,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1226,7 +1324,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. +This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. @@ -1263,31 +1361,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1301,7 +1406,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. +This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. Currently, there are no events in this subcategory. @@ -1336,31 +1441,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1374,7 +1486,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to application groups, such as the following: +This policy setting allows you to audit events generated by changes to application groups, such as the following: - Application group is created, changed, or deleted. - Member is added or removed from an application group. @@ -1413,31 +1525,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1451,7 +1570,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. +This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a computer account changes. @@ -1488,31 +1607,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1526,7 +1652,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to distribution groups, such as the following: +This policy setting allows you to audit events generated by changes to distribution groups, such as the following: - Distribution group is created, changed, or deleted. - Member is added or removed from a distribution group. - Distribution group type is changed. @@ -1569,31 +1695,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1607,7 +1740,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: +This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: - The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. - The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. - Changes to the Default Domain Group Policy under the following Group Policy paths: @@ -1649,31 +1782,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1687,7 +1827,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to security groups, such as the following: +This policy setting allows you to audit events generated by changes to security groups, such as the following: - Security group is created, changed, or deleted. - Member is added or removed from a security group. - Group type is changed. @@ -1727,31 +1867,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1765,7 +1912,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit changes to user accounts. +This policy setting allows you to audit changes to user accounts. Events include the following: - A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. - A user account’s password is set or changed. @@ -1809,31 +1956,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1847,7 +2001,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. +This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. Volume: High. @@ -1882,31 +2036,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1920,7 +2081,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. +This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. Only AD DS objects with a matching system access control list (SACL) are logged. @@ -1958,31 +2119,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -1996,7 +2164,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. +This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object’s properties. @@ -2040,31 +2208,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -2078,7 +2253,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. +This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. If you do not configure this policy setting, no audit event is generated during AD DS replication. @@ -2118,31 +2293,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -2156,7 +2338,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. +This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. @@ -2192,31 +2374,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -2230,7 +2419,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit when plug and play detects an external device. +This policy setting allows you to audit when plug and play detects an external device. If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. @@ -2266,31 +2455,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -2304,7 +2500,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. +This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a process is created. @@ -2340,31 +2536,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -2378,7 +2581,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when a process ends. +This policy setting allows you to audit events generated when a process ends. If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a process ends. @@ -2414,31 +2617,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -2452,7 +2662,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit inbound remote procedure call (RPC) connections. +This policy setting allows you to audit inbound remote procedure call (RPC) connections. If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. @@ -2488,31 +2698,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -2526,7 +2743,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by adjusting the privileges of a token. +This policy setting allows you to audit events generated by adjusting the privileges of a token. Volume: High. @@ -2560,31 +2777,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -2598,7 +2822,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. +This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. Events in this subcategory include: - Creation of an application client context. - Deletion of an application client context. @@ -2636,31 +2860,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -2674,7 +2905,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. +This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows: 1. Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. @@ -2715,31 +2946,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -2753,7 +2991,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. +This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. AD CS operations include the following: - AD CS startup/shutdown/backup/restore. @@ -2804,31 +3042,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -2842,7 +3087,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. +This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. @@ -2880,31 +3125,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -2918,7 +3170,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit attempts to access a shared folder. +This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. @@ -2956,31 +3208,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -2994,7 +3253,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see [Apply a basic audit policy on a file or folder](/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder). +This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see [Apply a basic audit policy on a file or folder](/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder). If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. @@ -3033,31 +3292,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -3071,7 +3337,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). +This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: - The Windows Firewall Service blocks an application from accepting incoming connections on the network. - The WFP allows a connection. @@ -3118,31 +3384,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -3156,7 +3429,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). +This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). Volume: High. @@ -3190,31 +3463,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -3228,7 +3508,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. +This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a handle is manipulated. @@ -3267,31 +3547,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -3305,7 +3592,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit attempts to access the kernel, which includes mutexes and semaphores. +This policy setting allows you to audit attempts to access the kernel, which includes mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events. > [!Note] @@ -3342,31 +3629,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -3380,7 +3674,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. +This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: - Job created. - Job deleted. @@ -3424,31 +3718,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -3462,7 +3763,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. +This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. @@ -3501,31 +3802,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -3539,7 +3847,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. +This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. @@ -3575,31 +3883,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -3613,7 +3928,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. +This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following: - SAM_ALIAS -- A local group. - SAM_GROUP -- A group that is not a local group. @@ -3659,31 +3974,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -3697,7 +4019,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to the authentication policy, such as the following: +This policy setting allows you to audit events generated by changes to the authentication policy, such as the following: - Creation of forest and domain trusts. - Modification of forest and domain trusts. - Removal of forest and domain trusts. @@ -3748,31 +4070,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -3786,7 +4115,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to the authorization policy, such as the following: +This policy setting allows you to audit events generated by changes to the authorization policy, such as the following: - Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Changes in the Encrypted File System (EFS) policy. @@ -3828,31 +4157,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -3866,7 +4202,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP), such as the following: +This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP), such as the following: - IPsec services status. - Changes to IPsec policy settings. - Changes to Windows Firewall policy settings. @@ -3907,31 +4243,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -3945,7 +4288,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. +This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: - Reporting of active policies when Windows Firewall service starts. - Changes to Windows Firewall rules. @@ -3989,31 +4332,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -4027,7 +4377,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: +This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: - Trusted Platform Module (TPM) configuration changes. - Kernel-mode cryptographic self tests. - Cryptographic provider operations. @@ -4067,31 +4417,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -4105,7 +4462,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit changes in the security audit policy settings, such as the following: +This policy setting allows you to audit changes in the security audit policy settings, such as the following: - Settings permissions and audit settings on the Audit Policy object. - Changes to the system audit policy. - Registration of security event sources. @@ -4150,31 +4507,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -4188,7 +4552,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). +This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). The following privileges are non-sensitive: - Access Credential Manager as a trusted caller. - Access this computer from the network. @@ -4255,31 +4619,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -4325,31 +4696,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -4363,7 +4741,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when sensitive privileges (user rights) are used, such as the following: +This policy setting allows you to audit events generated when sensitive privileges (user rights) are used, such as the following: - A privileged service is called. - One of the following privileges are called: - Act as part of the operating system. @@ -4414,31 +4792,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -4452,7 +4837,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by the IPsec filter driver, such as the following: +This policy setting allows you to audit events generated by the IPsec filter driver, such as the following: - Startup and shutdown of the IPsec services. - Network packets dropped due to integrity check failure. - Network packets dropped due to replay check failure. @@ -4495,31 +4880,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -4533,7 +4925,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit any of the following events: +This policy setting allows you to audit any of the following events: - Startup and shutdown of the Windows Firewall service and driver. - Security policy processing by the Windows Firewall Service. - Cryptography key file and migration operations. @@ -4570,31 +4962,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -4608,7 +5007,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes in the security state of the computer, such as the following events: +This policy setting allows you to audit events generated by changes in the security state of the computer, such as the following events: - Startup and shutdown of the computer. - Change of system time. - Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. @@ -4645,31 +5044,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -4683,7 +5089,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events related to security system extensions or services, such as the following: +This policy setting allows you to audit events related to security system extensions or services, such as the following: - A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. - A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. @@ -4722,31 +5128,38 @@ The following are the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -4760,7 +5173,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: +This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: - Events that could not be written to the event log because of a problem with the auditing system. - A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. - The detection of a Remote Procedure Call (RPC) that compromises system integrity. @@ -4792,15 +5205,6 @@ The following are the supported values:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 490bc43255..83bbd6d38f 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -59,31 +59,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -97,7 +104,7 @@ manager: dansimp -Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen. +Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen. @@ -117,31 +124,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -175,31 +189,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -235,31 +256,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -273,7 +301,7 @@ The following list shows the supported values: -Preview release in Windows 10, version 1709. Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0 +Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0 Value type is integer. @@ -297,31 +325,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark1NoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
+
@@ -335,7 +370,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows. +Allows secondary authentication devices to work with Windows. The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premises only environment, cloud domain-joined in a hybrid environment, and BYOD). @@ -367,31 +402,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -405,7 +447,7 @@ The following list shows the supported values: -Available in Windows 10, version 1803. Specifies the list of domains that are allowed to be navigated to in AAD PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a third-party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). +Specifies the list of domains that are allowed to be navigated to in AAD PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a third-party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). **Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com". @@ -429,31 +471,38 @@ Available in Windows 10, version 1803. Specifies the list of domains that are al - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -501,31 +550,38 @@ Value type is integer. Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -573,31 +629,38 @@ Value type is integer. Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -631,15 +694,6 @@ Value type is string.
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index 0eca05d2bb..0223d28d59 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - Autoplay +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -42,31 +48,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -88,12 +101,7 @@ If you enable this policy setting, AutoPlay is not allowed for MTP devices like If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -113,31 +121,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -168,12 +183,7 @@ b) Revert back to pre-Windows Vista behavior of automatically executing the auto If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -193,31 +203,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -249,12 +266,7 @@ If you disable or do not configure this policy setting, AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -267,16 +279,7 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 03fcf174ca..c629f2ed81 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -39,31 +39,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -95,15 +102,6 @@ The following list shows the supported values:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 02abb3111c..1e7659b25f 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -57,31 +57,38 @@ If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark5YesYes
Procheck mark5YesYes
Businesscross markNoNo
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -140,28 +147,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark5YesYes
Procheck mark5YesYes
Businesscross markNoNo
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -223,28 +236,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark5YesYes
Procheck mark5YesYes
Businesscross markNoNo
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -306,28 +325,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark5YesYes
Procheck mark5YesYes
Businesscross markNoNo
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -384,28 +409,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark5YesYes
Procheck mark5YesYes
Businesscross markNoNo
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -462,28 +493,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark5YesYes
Procheck mark5YesYes
Businesscross markNoNo
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -540,16 +577,7 @@ Supported values range: 0 - 999
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 6426fba5e8..c209021556 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -52,31 +52,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -114,31 +121,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -176,31 +190,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
+
@@ -234,31 +255,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -272,7 +300,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios. +This policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios. @@ -292,31 +320,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -347,31 +382,38 @@ If this policy is not set or it is deleted, the default local radio name is used - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -385,7 +427,7 @@ If this policy is not set or it is deleted, the default local radio name is used -Added in Windows 10, version 1511. Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. +Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. The default value is an empty string. For more information, see [ServicesAllowedList usage guide](#servicesallowedlist-usage-guide) @@ -400,31 +442,38 @@ The default value is an empty string. For more information, see [ServicesAllowed - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark8YesYes
Businesscheck mark8YesYes
Enterprisecheck mark8YesYes
Educationcheck mark8YesYes
+
@@ -438,7 +487,7 @@ The default value is an empty string. For more information, see [ServicesAllowed -Added in Windows 10, version 2004. There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments. +There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments. @@ -458,16 +507,7 @@ For more information on allowed key sizes, refer to Bluetooth Core Specification
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 14cd612597..12da488189 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -201,31 +201,38 @@ ms.localizationpriority: medium - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -272,31 +279,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -351,31 +365,38 @@ To verify AllowAutofill is set to 0 (not allowed): - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -420,31 +441,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -499,31 +527,38 @@ To verify AllowCookies is set to 0 (not allowed): - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -539,7 +574,7 @@ To verify AllowCookies is set to 0 (not allowed): > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. [!INCLUDE [allow-developer-tools-shortdesc](../includes/allow-developer-tools-shortdesc.md)] @@ -570,31 +605,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -648,31 +690,38 @@ To verify AllowDoNotTrack is set to 0 (not allowed): - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
+
@@ -717,31 +766,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -786,31 +842,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -858,31 +921,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -935,31 +1005,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -1004,31 +1081,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -1077,31 +1161,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -1155,31 +1246,38 @@ To verify AllowPasswordManager is set to 0 (not allowed): - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -1233,31 +1331,38 @@ To verify AllowPopups is set to 0 (not allowed): - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -1311,31 +1416,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -1388,31 +1500,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -1465,31 +1584,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -1540,31 +1666,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -1610,31 +1743,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -1687,31 +1827,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -1764,31 +1911,38 @@ To verify AllowSmartScreen is set to 0 (not allowed): - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -1840,31 +1994,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -1916,31 +2077,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -1988,31 +2156,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -2068,31 +2243,38 @@ To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -2143,31 +2325,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -2220,31 +2409,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -2301,31 +2497,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -2385,31 +2588,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -2464,31 +2674,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -2553,31 +2770,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -2631,31 +2855,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -2707,31 +2938,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -2776,31 +3014,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -2819,7 +3064,7 @@ Most restricted value: 0 [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../includes/configure-enterprise-mode-site-list-shortdesc.md)] > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. @@ -2851,31 +3096,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -2904,31 +3156,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -2944,7 +3203,7 @@ Supported values: > [!NOTE] -> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only available for Windows for desktop and not supported in Windows Mobile. [!INCLUDE [configure-start-pages-shortdesc](../includes/configure-start-pages-shortdesc.md)] @@ -2989,31 +3248,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -3060,31 +3326,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -3129,31 +3402,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -3204,31 +3484,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -3274,31 +3561,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -3344,31 +3638,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -3412,31 +3713,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -3481,31 +3789,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -3556,31 +3871,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -3596,7 +3918,7 @@ Supported values: > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. [!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] @@ -3627,31 +3949,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -3705,31 +4034,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -3748,7 +4084,7 @@ ADMX Info: [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../includes/send-all-intranet-sites-to-ie-shortdesc.md)] > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. @@ -3779,31 +4115,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -3857,31 +4200,38 @@ Most restricted value: 1 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -3932,31 +4282,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -4006,31 +4363,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -4049,7 +4413,7 @@ Supported values: > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. @@ -4079,31 +4443,38 @@ Most restricted value: 0 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -4123,7 +4494,7 @@ By default, a notification will be presented to the user informing them of this With this policy, you can either allow (default) or suppress this notification. > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. @@ -4147,31 +4518,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -4192,7 +4570,7 @@ Supported values: [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] > [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> This policy is only enforced in Windows for desktop and not supported in Windows Mobile. @@ -4230,31 +4608,38 @@ To verify that favorites are in synchronized between Internet Explorer and Micro - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -4305,31 +4690,38 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -4367,15 +4759,6 @@ Most restricted value: 0
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 22a1a37ce3..3ac207a7e5 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -36,31 +36,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -97,16 +104,7 @@ The following list shows the supported values:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 7e776b0469..17a6da62e3 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - Cellular +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -48,31 +54,39 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+ +
@@ -86,7 +100,7 @@ manager: dansimp -Added in Windows 10, version 1709. This policy setting specifies whether Windows apps can access cellular data. +This policy setting specifies whether Windows apps can access cellular data. You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting. @@ -128,31 +142,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -166,7 +187,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. @@ -188,31 +209,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -226,7 +254,7 @@ ADMX Info: -Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. @@ -248,31 +276,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -286,7 +321,7 @@ ADMX Info: -Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. +List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. @@ -308,31 +343,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -352,12 +394,7 @@ If this policy setting is enabled, a drop-down list box presenting possible valu If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -370,16 +407,7 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 90a5286d6f..356d8123f7 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -14,6 +14,14 @@ manager: dansimp # Policy CSP - Connectivity +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
@@ -73,31 +81,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -139,31 +154,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -198,31 +220,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -277,31 +306,38 @@ To validate on mobile devices, do the following: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -318,7 +354,7 @@ To validate on mobile devices, do the following: > [!NOTE] > This policy requires reboot to take effect. -Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. +Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. @@ -338,31 +374,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -376,7 +419,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC. +This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC. If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. If you disable this policy setting, the Windows device is not allowed to be linked to phones, will remove itself from the device list of any linked Phones, and cannot participate in 'Continue on PC experiences'. If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. @@ -413,31 +456,38 @@ Device that has previously opt-in to MMX will also stop showing on the device li - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecross markNoNo
Educationcross markNoNo
+
@@ -478,31 +528,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -538,31 +595,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -598,31 +662,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -649,12 +720,7 @@ If you disable or do not configure this policy setting, users can choose to prin Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -674,31 +740,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -723,12 +796,7 @@ If you enable this policy setting, print drivers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download print drivers over HTTP. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -748,31 +816,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -797,12 +872,7 @@ If you disable or do not configure this policy setting, a list of providers are See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -822,31 +892,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -860,7 +937,7 @@ ADMX Info: -Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com. +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com. Value type is integer. @@ -883,31 +960,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -926,12 +1010,7 @@ This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -951,31 +1030,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -998,12 +1084,7 @@ The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1017,16 +1098,6 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. -- 9 - Available in Windows 10, version 2009. diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index b1e5575610..f9aea239a4 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -35,31 +35,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -73,7 +80,7 @@ manager: dansimp -Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device. +This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device. > [!NOTE] > MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs. @@ -117,15 +124,6 @@ The following list shows the supported values:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index cf333911ba..a0cf427df5 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - CredentialProviders +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -42,31 +48,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -91,12 +104,7 @@ Note: The user's domain password will be cached in the system vault when using t To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -116,31 +124,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -163,12 +178,7 @@ If you disable or don't configure this policy setting, a domain user can set up Note that the user's domain password will be cached in the system vault when using this feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -188,31 +198,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -226,7 +243,7 @@ ADMX Info: -Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. +Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the Autopilot Reset is triggered the devices are for ready for use by information workers or students. @@ -241,16 +258,7 @@ The following list shows the supported values:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. From 27d6528a28363611d27a51f9f0950092e0b42a30 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 28 Sep 2021 11:11:52 +0530 Subject: [PATCH 02/33] Updated --- .../mdm/policy-csp-applicationdefaults.md | 14 +- .../client-management/mdm/policy-csp-audit.md | 530 +++++++++--------- 2 files changed, 272 insertions(+), 272 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 1a77467f47..2337443c82 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ApplicationDefaults -description: Learn about various Policy configuration service provider (CSP) - ApplicationDefaults, including SyncML, for Windows 10. +description: Learn about various Policy configuration service providers (CSP) - ApplicationDefaults, including SyncML, for Windows 10. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -83,9 +83,9 @@ manager: dansimp -This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. +This policy allows an administrator to set default file type and protocol associations. When set, default associations are applied on sign in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). Then, it needs to be base64 encoded before being added to SyncML. -If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. +If policy is enabled and the client machine is having Azure Active Directory, the associations assigned in SyncML are processed and default associations are applied. @@ -106,7 +106,7 @@ To create the SyncML, follow these steps:
  • Paste the base64 encoded XML into the SyncML
    • -Here is an example output from the dism default association export command: +Here's an example output from the dism default association export command: ```xml @@ -119,13 +119,13 @@ Here is an example output from the dism default association export command: @@ -211,7 +211,7 @@ Enabling this policy setting enables web-to-app linking so that apps can be laun Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app. -If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index cdfff2c484..4be64f929b 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Audit -description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't log on to a computer because the account is locked out. +description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't sign in to a computer because the account is locked out. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -251,11 +251,11 @@ ms.date: 09/27/2019 -This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. +This policy setting allows you to audit events generated by a failed attempt to sign in to an account that is locked out. -If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you configure this policy setting, an audit event is generated when an account can't sign in to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. -Logon events are essential for understanding user activity and to detect potential attacks. +Sign in events are essential for understanding user activity and to detect potential attacks. Volume: Low. @@ -268,10 +268,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -335,9 +335,9 @@ The following are the supported values: -This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. +This policy allows you to audit the group membership information in the user's sign in token. Events in this subcategory are generated on the computer on which a sign in session is created. For an interactive sign in, the security audit event is generated on the computer that the user logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information cannot fit in a single security audit event. +When this setting is configured, one or more security audit events are generated for each successful sign in. Enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information can't fit in a single security audit event. Volume: Low on a client computer. Medium on a domain controller or a network server. @@ -349,10 +349,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -432,10 +432,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -502,7 +502,7 @@ The following are the supported values: This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. +If you don't configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. Volume: High. @@ -514,10 +514,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -583,7 +583,7 @@ The following are the supported values: This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. -If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. +If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you don't configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. Volume: High. @@ -595,10 +595,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -662,10 +662,10 @@ The following are the supported values: -This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. +This policy setting allows you to audit events generated by the closing of a sign in session. These events occur on the computer that was accessed. For an interactive sign out the security audit event is generated on the computer that the user account logged on to. -If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. -If you do not configure this policy setting, no audit event is generated when a logon session is closed. +If you configure this policy setting, an audit event is generated when a sign in session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. +If you don't configure this policy setting, no audit event is generated when a sign in session is closed. Volume: Low. @@ -677,10 +677,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -744,13 +744,13 @@ The following are the supported values: -This policy setting allows you to audit events generated by user account logon attempts on the computer. -Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. +This policy setting allows you to audit events generated by user account sign in attempts on the computer. +Events in this subcategory are related to the creation of sign in sessions and occur on the computer that was accessed. For an interactive sign in, the security audit event is generated on the computer that the user account logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: -- Successful logon attempts. -- Failed logon attempts. -- Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. -- Security identifiers (SIDs) were filtered and not allowed to log on. +- Successful sign in attempts. +- Failed sign in attempts. +- sign in attempts using explicit credentials. This event is generated when a process attempts to sign in an account by explicitly specifying that account’s credentials. This most commonly occurs in batch sign in configurations, such as scheduled tasks or when using the RUNAS command. +- Security identifiers (SIDs) were filtered and not allowed to sign in. Volume: Low on a client computer. Medium on a domain controller or a network server. @@ -762,10 +762,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -843,10 +843,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 — Success -- 2 — Failure -- 3 (default) — Success+Failure +- 0—Off/None +- 1—Success +- 2—Failure +- 3 (default)—Success+Failure @@ -910,7 +910,7 @@ The following are the supported values: -Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as the following: +This policy setting allows you to audit other logon/logoff-related events that aren't covered in the “Logon/Logoff” policy setting, such as the following: - Terminal Services session disconnections. - New Terminal Services sessions. - Locking and unlocking a workstation. @@ -930,10 +930,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -998,8 +998,8 @@ The following are the supported values: This policy setting allows you to audit events generated by special logons, such as the following: -- The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. -- A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](/windows/security/threat-protection/auditing/audit-special-logon). +- The use of a special sign in, which is a sign in that has administrator-equivalent privileges and can be used to elevate a process to a higher level. +- A sign in by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during sign in and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](/windows/security/threat-protection/auditing/audit-special-logon). Volume: Low. @@ -1011,10 +1011,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -1078,11 +1078,11 @@ The following are the supported values: -This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. +This policy allows you to audit user and device claims information in the user's sign in token. Events in this subcategory are generated on the computer on which a sign in session is created. For an interactive sign in, the security audit event is generated on the computer that the user logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. -User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. +User claims are added to a sign in token when claims are included with a user's account attributes in Active Directory. Device claims are added to the sign in token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. +When this setting is configured, one or more security audit events are generated for each successful sign in. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. Volume: Low on a client computer. Medium on a domain controller or a network server. @@ -1094,10 +1094,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1161,7 +1161,7 @@ The following are the supported values: -This policy setting allows you to audit events generated by validation tests on user account logon credentials. +This policy setting allows you to audit events generated by validation tests on user account sign in credentials. Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. @@ -1175,10 +1175,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1257,10 +1257,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1339,10 +1339,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1406,7 +1406,7 @@ The following are the supported values: -This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. +This policy setting allows you to audit events generated by responses to credential requests submitted for a user account sign in that are not credential validation or Kerberos tickets. Currently, there are no events in this subcategory. @@ -1419,10 +1419,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1486,7 +1486,7 @@ The following are the supported values: -This policy setting allows you to audit events generated by changes to application groups, such as the following: +This policy setting allows you to audit events generated by changes to application groups as follows: - Application group is created, changed, or deleted. - Member is added or removed from an application group. @@ -1503,10 +1503,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1585,10 +1585,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1652,7 +1652,7 @@ The following are the supported values: -This policy setting allows you to audit events generated by changes to distribution groups, such as the following: +This policy setting allows you to audit events generated by changes to distribution groups as follows: - Distribution group is created, changed, or deleted. - Member is added or removed from a distribution group. - Distribution group type is changed. @@ -1673,10 +1673,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1740,7 +1740,7 @@ The following are the supported values: -This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: +This policy setting allows you to audit events generated by other user account changes that are not covered in this category as follows: - The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. - The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. - Changes to the Default Domain Group Policy under the following Group Policy paths: @@ -1760,10 +1760,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -1845,10 +1845,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -1913,7 +1913,7 @@ The following are the supported values: This policy setting allows you to audit changes to user accounts. -Events include the following: +The events included are as follows: - A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. - A user account’s password is set or changed. - A security identifier (SID) is added to the SID History of a user account. @@ -1934,10 +1934,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -2014,10 +2014,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2097,10 +2097,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2186,10 +2186,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2271,10 +2271,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2353,10 +2353,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2434,10 +2434,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2515,10 +2515,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2596,10 +2596,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2677,10 +2677,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2755,10 +2755,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2839,10 +2839,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -2924,10 +2924,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3021,10 +3021,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3104,10 +3104,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3187,10 +3187,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3271,10 +3271,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3363,10 +3363,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3442,10 +3442,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3526,10 +3526,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3608,10 +3608,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3697,10 +3697,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3781,10 +3781,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3862,10 +3862,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -3953,10 +3953,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4048,10 +4048,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -4135,10 +4135,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4221,10 +4221,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4310,10 +4310,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4395,10 +4395,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4485,10 +4485,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -4598,10 +4598,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4675,10 +4675,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4771,10 +4771,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4858,10 +4858,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -4940,10 +4940,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 — Success -- 2 — Failure -- 3 (default) — Success+Failure +- 0—Off/None +- 1—Success +- 2—Failure +- 3 (default)—Success+Failure @@ -5022,10 +5022,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 (default) — Success -- 2 — Failure -- 3 — Success+Failure +- 0—Off/None +- 1 (default)—Success +- 2—Failure +- 3—Success+Failure @@ -5106,10 +5106,10 @@ GP Info: The following are the supported values: -- 0 (default) — Off/None -- 1 — Success -- 2 — Failure -- 3 — Success+Failure +- 0 (default)—Off/None +- 1—Success +- 2—Failure +- 3—Success+Failure @@ -5190,10 +5190,10 @@ GP Info: The following are the supported values: -- 0 — Off/None -- 1 — Success -- 2 — Failure -- 3 (default) — Success+Failure +- 0—Off/None +- 1—Success +- 2—Failure +- 3 (default)—Success+Failure From b6ba405980cb95b018ec5ba354bfdb5272c5d310 Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Tue, 28 Sep 2021 19:14:56 -0400 Subject: [PATCH 03/33] Update use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md Added a note that all policies must be PKCS 7 signed --- ...t-windows-defender-application-control-against-tampering.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 11d3f0df1e..3ceb3636e0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -46,6 +46,9 @@ To sign a WDAC policy with SignTool.exe, you need the following components: - An internal CA code signing certificate or a purchased code signing certificate +> [!NOTE] +> All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652) + If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: 1. Initialize the variables that will be used: From 7e2414ec920033f9af0ff465f4f2c9a8aa217003 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 29 Sep 2021 13:05:23 +0530 Subject: [PATCH 04/33] CSP -03 : Windows 11 matrix update Updated the tables with Windows 11 and converted images into text respectively --- .../mdm/policy-csp-internetexplorer.md | 6716 +++++++++-------- .../mdm/policy-csp-kerberos.md | 54 +- .../mdm/policy-csp-kioskbrowser.md | 163 +- .../mdm/policy-csp-lanmanworkstation.md | 33 +- .../mdm/policy-csp-licensing.md | 54 +- ...policy-csp-localpoliciessecurityoptions.md | 10 - .../mdm/policy-csp-localusersandgroups.md | 25 +- .../mdm/policy-csp-lockdown.md | 34 +- 8 files changed, 3533 insertions(+), 3556 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 8222726809..3d06d6810d 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -799,6 +799,12 @@ manager: dansimp +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -808,28 +814,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -854,12 +866,6 @@ If you enable this policy setting, the user can add and remove search providers, If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -879,28 +885,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -925,12 +937,6 @@ If you enable this policy setting, ActiveX Filtering is enabled by default for t If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -950,28 +956,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1002,12 +1014,6 @@ Value - A number indicating whether Internet Explorer should deny or allow the a If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1027,28 +1033,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1074,12 +1086,6 @@ If you disable this setting the user cannot change "User name and passwords on f If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1099,28 +1105,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1145,12 +1157,6 @@ If you enable this policy setting, the certificate address mismatch warning alwa If you disable or do not configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1170,28 +1176,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1220,12 +1232,6 @@ If you do not configure this policy setting, it can be configured on the General If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1245,28 +1251,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1293,12 +1305,6 @@ If you disable this policy setting, Enhanced Protected Mode will be turned off. If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1318,28 +1324,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    @@ -1366,12 +1378,6 @@ If you disable this policy setting, users do not receive enhanced suggestions wh If you do not configure this policy setting, users can change the Suggestions setting on the Settings charm. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1402,28 +1408,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1448,12 +1460,6 @@ If you turn this setting on, users can see and use the Enterprise Mode option fr If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1473,28 +1479,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1519,12 +1531,6 @@ If you enable this policy setting, Internet Explorer downloads the website list If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1544,28 +1550,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1591,12 +1603,6 @@ This policy does not affect which security protocols are enabled. If you disable this policy, system defaults will be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1616,28 +1622,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1662,12 +1674,6 @@ If you enable this policy setting, the user can add and remove sites from the li If you disable or do not configure this policy setting, the user can add and remove sites from the list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1687,28 +1693,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1735,12 +1747,6 @@ If you disable this policy setting, Internet Explorer uses an Internet Explorer If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1760,28 +1766,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1812,12 +1824,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1837,28 +1843,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1889,12 +1901,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1914,28 +1920,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1966,12 +1978,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1991,28 +1997,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -2043,12 +2055,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2068,28 +2074,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -2120,12 +2132,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2145,28 +2151,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -2197,12 +2209,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2222,28 +2228,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -2274,12 +2286,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2299,28 +2305,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -2345,12 +2357,6 @@ If you enable this policy setting, Internet Explorer goes directly to an intrane If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2370,28 +2376,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark7YesYes
    Businesscheck mark7YesYes
    Enterprisecheck mark7YesYes
    Educationcheck mark7YesYes
    @@ -2417,12 +2429,6 @@ This policy setting allows the administrator to enable "Save Target As" context For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq) -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2452,28 +2458,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -2509,12 +2521,6 @@ If you disable or do not configure this policy, users may choose their own site- The list is a set of pairs of strings. Each string is separated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2559,28 +2565,34 @@ Value and index pairs in the SyncML example: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -2607,12 +2619,6 @@ If you disable this policy setting, users cannot run or install files with an in If you do not configure this policy, users can choose to run or install files with an invalid signature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2632,28 +2638,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -2680,12 +2692,6 @@ If you disable this policy setting, the entry points and functionality associate If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2705,28 +2711,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -2757,12 +2769,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2782,28 +2788,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -2834,12 +2846,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2859,28 +2865,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -2911,12 +2923,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2936,28 +2942,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -2984,12 +2996,6 @@ If you disable this policy setting, Internet Explorer will not check server cert If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3009,28 +3015,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -3057,12 +3069,6 @@ If you disable this policy setting, Internet Explorer will not check the digital If you do not configure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3081,28 +3087,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark7YesYes
    Businesscheck mark7YesYes
    Enterprisecheck mark7YesYes
    Educationcheck mark7YesYes
    @@ -3147,12 +3159,6 @@ If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge > For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq). This update applies only to Windows 10 version 1709 and higher. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3374,28 +3380,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -3424,12 +3436,6 @@ If you disable this policy setting, Internet Explorer will not require consisten If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3449,28 +3455,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    @@ -3495,12 +3507,6 @@ This setting determines whether IE automatically downloads updated versions of M If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3531,28 +3537,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -3579,12 +3591,6 @@ If you disable, or do not configure this policy setting, Flash is turned on for Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3604,28 +3610,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -3650,12 +3662,6 @@ If you enable this policy setting, Windows Defender SmartScreen warnings block t If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3675,28 +3681,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -3721,12 +3733,6 @@ If you enable this policy setting, Windows Defender SmartScreen warnings block t If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3746,28 +3752,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    @@ -3792,12 +3804,6 @@ If you enable this policy setting, the user cannot use the Compatibility View bu If you disable or do not configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3828,28 +3834,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -3874,12 +3886,6 @@ If you enable this policy setting, a user cannot set the number of days that Int If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3899,28 +3905,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -3945,12 +3957,6 @@ If you enable this policy setting, a crash in Internet Explorer will exhibit beh If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3970,28 +3976,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -4018,12 +4030,6 @@ If you disable this policy setting, the user must participate in the CEIP, and t If you do not configure this policy setting, the user can choose to participate in the CEIP. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4043,28 +4049,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -4093,12 +4105,6 @@ If you do not configure this policy setting, the user can choose whether to dele If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4118,28 +4124,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -4164,12 +4176,6 @@ If you enable this policy setting, the user cannot set the Feed Sync Engine to d If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4189,28 +4195,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -4237,12 +4249,6 @@ If you disable or do not configure this policy setting, the user can select whic Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4262,28 +4268,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    @@ -4308,12 +4320,6 @@ If you enable this policy setting, the ability to synchronize feeds and Web Slic If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4344,28 +4350,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -4394,12 +4406,6 @@ Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not avail If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4419,28 +4425,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -4469,12 +4481,6 @@ If you disable this policy setting, flip ahead with page prediction is turned on If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4494,28 +4500,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    @@ -4542,12 +4554,6 @@ If you disable this policy setting, browser geolocation support is turned on. If you do not configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4578,28 +4584,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -4623,12 +4635,6 @@ If you enable this policy setting, a user cannot set a custom default home page. If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4646,28 +4652,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark7YesYes
    Businesscheck mark7YesYes
    Enterprisecheck mark7YesYes
    Educationcheck mark7YesYes
    @@ -4699,12 +4711,6 @@ If you disable, or do not configure this policy, all sites are opened using the > Microsoft Edge Stable Channel must be installed for this policy to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4742,28 +4748,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -4788,12 +4800,6 @@ If you enable this policy setting, the user cannot continue browsing. If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4813,28 +4819,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -4863,12 +4875,6 @@ If you disable this policy setting, InPrivate Browsing is available for use. If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4888,28 +4894,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -4938,12 +4950,6 @@ If you disable this policy setting, Internet Explorer 11 will use 32-bit tab pro If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4963,28 +4969,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -5009,12 +5021,6 @@ If you enable this policy setting, the user will not be able to configure proxy If you disable or do not configure this policy setting, the user can configure proxy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5034,28 +5040,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -5080,12 +5092,6 @@ If you enable this policy setting, the user cannot change the default search pro If you disable or do not configure this policy setting, the user can change the default search provider. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5105,28 +5111,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -5153,12 +5165,6 @@ If you disable or do not configure this policy setting, the user can add seconda Note: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5178,28 +5184,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -5224,12 +5236,6 @@ If you enable this policy setting, the feature is turned off. If you disable or do not configure this policy setting, the feature is turned on. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5249,28 +5255,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -5296,12 +5308,6 @@ If you disable this policy or do not configure it, Internet Explorer checks ever This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5321,28 +5327,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    @@ -5369,12 +5381,6 @@ If you disable this policy setting, users are suggested matches when entering We If you do not configure this policy setting, users can choose to turn the auto-complete setting for web-addresses on or off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5405,28 +5411,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -5455,12 +5467,6 @@ If you enable this policy setting, Internet Explorer will not give the user the If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5480,28 +5486,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -5531,12 +5543,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Ad Also, see the "Security zones: Use only machine settings" policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5556,28 +5562,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -5607,12 +5619,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Adm Also, see the "Security zones: Use only machine settings" policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5632,28 +5638,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -5680,12 +5692,6 @@ If you disable or don't configure this policy setting, Internet Explorer continu For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5705,28 +5711,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -5757,12 +5769,6 @@ If you disable or don't configure this policy setting, the list is deleted and I For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5782,28 +5788,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -5830,12 +5842,6 @@ If you disable this policy setting, local sites which are not explicitly mapped If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5855,28 +5861,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -5903,12 +5915,6 @@ If you disable this policy setting, network paths are not necessarily mapped int If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5928,28 +5934,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -5976,12 +5988,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6001,28 +6007,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6049,12 +6061,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6074,28 +6080,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6120,12 +6132,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6145,28 +6151,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6195,12 +6207,6 @@ If you disable this policy setting, a script cannot perform a clipboard operatio If you do not configure this policy setting, a script can perform a clipboard operation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6220,28 +6226,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6268,12 +6280,6 @@ If you disable this policy setting, users are prevented from dragging files or c If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6293,28 +6299,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6341,12 +6353,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6366,28 +6372,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6414,12 +6426,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6439,28 +6445,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6487,12 +6499,6 @@ If you disable this policy setting, XAML files are not loaded inside Internet Ex If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6512,28 +6518,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6560,12 +6572,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6585,28 +6591,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6631,12 +6643,6 @@ If you enable this policy setting, the user is prompted before ActiveX controls If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6656,28 +6662,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6702,12 +6714,6 @@ If you enable this policy setting, the TDC ActiveX control will not run from web If you disable this policy setting, the TDC Active X control will run from all sites in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6727,28 +6733,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6775,12 +6787,6 @@ If you disable this policy setting, the possible harmful actions contained in sc If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6800,28 +6806,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6848,12 +6860,6 @@ If you disable this policy setting, script access to the WebBrowser control is n If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6873,28 +6879,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6921,12 +6933,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6946,28 +6952,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -6996,12 +7008,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7021,28 +7027,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -7067,12 +7079,6 @@ If you enable this policy setting, script is allowed to update the status bar. If you disable or do not configure this policy setting, script is not allowed to update the status bar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7092,28 +7098,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -7140,12 +7152,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7165,28 +7171,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -7215,12 +7227,6 @@ If you selected Disable in the drop-down box, VBScript is prevented from running If you do not configure or disable this policy setting, VBScript is prevented from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7240,28 +7246,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -7288,12 +7300,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7313,28 +7319,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -7361,12 +7373,6 @@ If you disable the policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7386,28 +7392,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -7434,12 +7446,6 @@ If you disable this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users cannot run unsigned controls. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7459,28 +7465,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -7505,12 +7517,6 @@ If you enable this policy setting, the XSS Filter is turned on for sites in this If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7530,28 +7536,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -7580,12 +7592,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7605,28 +7611,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -7655,12 +7667,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7680,28 +7686,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -7728,12 +7740,6 @@ If you disable this policy setting, the actions that may be harmful cannot run; If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7753,28 +7759,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -7801,12 +7813,6 @@ If you disable this policy setting, Protected Mode is turned off. The user canno If you do not configure this policy setting, the user can turn on or turn off Protected Mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7826,28 +7832,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -7874,12 +7886,6 @@ If you disable this policy setting, path information is removed when the user is If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7899,28 +7905,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -7949,12 +7961,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7974,28 +7980,34 @@ ADMX Info: - - + + + - + + - + + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark1YesYes
    Procheck mark1YesYes
    Business
    Enterprisecheck mark1YesYes
    Educationcheck mark1YesYes
    @@ -8015,28 +8027,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -8069,12 +8087,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to High Safety. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8094,28 +8106,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -8142,12 +8160,6 @@ If you disable this policy setting, users are prevented from running application If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8167,28 +8179,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -8223,12 +8241,6 @@ If you disable this policy setting, logon is set to Automatic logon only in Intr If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8248,28 +8260,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -8296,12 +8314,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8321,28 +8333,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -8369,12 +8387,6 @@ If you disable this policy setting, Internet Explorer will not execute signed ma If you do not configure this policy setting, Internet Explorer will execute signed managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8394,28 +8406,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -8442,12 +8460,6 @@ If you disable this policy setting, these files do not open. If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8467,28 +8479,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -8515,12 +8533,6 @@ If you disable this policy setting, pop-up windows are not prevented from appear If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8540,28 +8552,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -8588,12 +8606,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8613,28 +8625,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -8661,12 +8679,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8686,28 +8698,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -8732,12 +8750,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8757,28 +8769,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -8805,12 +8823,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8830,28 +8842,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -8878,12 +8896,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8903,28 +8915,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -8951,12 +8969,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8976,28 +8988,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -9024,12 +9042,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9049,28 +9061,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -9099,12 +9117,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9124,28 +9136,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -9172,12 +9190,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9197,28 +9209,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -9245,12 +9263,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9270,28 +9282,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -9320,12 +9338,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9345,28 +9357,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -9399,12 +9417,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Medium Safety. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9424,28 +9436,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -9472,12 +9490,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9497,28 +9509,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark7YesYes
    Businesscheck mark7YesYes
    Enterprisecheck mark7YesYes
    Educationcheck mark7YesYes
    @@ -9553,12 +9571,6 @@ Related policies: For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](/DeployEdge/edge-ie-mode-policies#configure-internet-explorer-integration) -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9596,28 +9608,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -9644,12 +9662,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9669,28 +9681,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -9717,12 +9735,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9742,28 +9754,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -9788,12 +9806,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9813,28 +9825,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -9861,12 +9879,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9886,28 +9898,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -9934,12 +9952,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9959,28 +9971,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10007,12 +10025,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10032,28 +10044,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10080,12 +10098,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10105,28 +10117,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10155,12 +10173,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10180,28 +10192,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10228,12 +10246,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10253,28 +10265,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10301,12 +10319,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10326,28 +10338,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10376,12 +10394,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10401,28 +10413,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10455,12 +10473,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Medium Safety. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10480,28 +10492,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10528,12 +10546,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10553,28 +10565,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10601,12 +10619,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10626,28 +10638,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10674,12 +10692,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10699,28 +10711,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10745,12 +10763,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10770,28 +10782,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10818,12 +10836,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10843,28 +10855,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10891,12 +10909,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10916,28 +10928,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -10964,12 +10982,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10989,28 +11001,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -11037,12 +11055,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11062,28 +11074,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -11112,12 +11130,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11137,28 +11149,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -11185,12 +11203,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11210,28 +11222,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -11260,12 +11278,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11285,28 +11297,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -11339,12 +11357,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11364,28 +11376,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -11412,12 +11430,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11437,28 +11449,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -11491,12 +11509,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11516,28 +11528,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -11564,12 +11582,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11589,28 +11601,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -11637,12 +11655,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11662,28 +11674,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -11708,12 +11726,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11733,28 +11745,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -11781,12 +11799,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11806,28 +11818,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -11854,12 +11872,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11879,28 +11891,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -11927,12 +11945,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11952,28 +11964,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12000,12 +12018,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12025,28 +12037,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12075,12 +12093,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12100,28 +12112,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12148,12 +12166,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12173,28 +12185,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12223,12 +12241,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12248,28 +12260,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12296,12 +12314,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12321,28 +12333,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12369,12 +12387,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12394,28 +12406,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12442,12 +12460,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12467,28 +12479,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12513,12 +12531,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12538,28 +12550,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12586,12 +12604,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12611,28 +12623,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12659,12 +12677,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12684,28 +12696,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12732,12 +12750,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12757,28 +12769,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12805,12 +12823,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12830,28 +12842,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12880,12 +12898,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12905,28 +12917,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -12953,12 +12971,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12978,28 +12990,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13028,12 +13046,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13053,28 +13065,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13107,12 +13125,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13132,28 +13144,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13180,12 +13198,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13205,28 +13217,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13253,12 +13271,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13278,28 +13290,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13326,12 +13344,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13351,28 +13363,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13397,12 +13415,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13422,28 +13434,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13470,12 +13488,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13495,28 +13507,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13543,12 +13561,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13568,28 +13580,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13616,12 +13634,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13641,28 +13653,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13689,12 +13707,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13714,28 +13726,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13764,12 +13782,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13789,28 +13801,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13837,12 +13855,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13862,28 +13874,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13912,12 +13930,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13937,28 +13949,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -13991,12 +14009,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14016,28 +14028,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -14064,12 +14082,6 @@ If you disable this policy setting, users cannot open other windows and frames f If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14089,28 +14101,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -14137,12 +14155,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14162,28 +14174,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -14210,12 +14228,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14235,28 +14247,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -14281,12 +14299,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14306,28 +14318,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -14354,12 +14372,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14379,28 +14391,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -14427,12 +14445,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14452,28 +14464,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -14500,12 +14518,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14525,28 +14537,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -14573,12 +14591,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14598,28 +14610,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -14648,12 +14666,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14673,28 +14685,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -14721,12 +14739,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14746,28 +14758,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -14796,12 +14814,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14821,28 +14833,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -14875,12 +14893,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14900,28 +14912,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -14948,12 +14966,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14973,28 +14985,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -15021,12 +15039,6 @@ If you disable this policy setting, applications can use the MK protocol API. Re If you do not configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15046,28 +15058,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -15094,12 +15112,6 @@ If you disable this policy setting, Internet Explorer processes will allow a MIM If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15119,28 +15131,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    @@ -15165,12 +15183,6 @@ If you enable this policy setting, you can choose which page to display when the If you disable or do not configure this policy setting, users can select their preference for this behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15204,28 +15216,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -15252,12 +15270,6 @@ If you disable this policy setting, the Notification bar will not be displayed f If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15277,28 +15289,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -15323,12 +15341,6 @@ If you enable this policy setting, the user is not prompted to turn on Windows D If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on Windows Defender SmartScreen during the first-run experience. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15348,28 +15360,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -15394,12 +15412,6 @@ If you enable this policy setting, ActiveX controls cannot be installed on a per If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15419,28 +15431,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -15467,12 +15485,6 @@ If you disable this policy setting, no zone receives such protection for Interne If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15492,28 +15504,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -15540,12 +15558,6 @@ If you disable or don't configure this policy setting, users will see the "Run t For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15565,28 +15577,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -15613,12 +15631,6 @@ If you disable this policy setting, prompting for ActiveX control installations If you do not configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15638,28 +15650,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -15686,12 +15704,6 @@ If you disable this policy setting, prompting will occur for file downloads that If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15711,28 +15723,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -15759,12 +15777,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15784,28 +15796,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -15832,12 +15850,6 @@ If you disable this policy setting, script code on pages in the zone is prevente If you do not configure this policy setting, script code on pages in the zone is prevented from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15857,28 +15869,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -15905,12 +15923,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15930,28 +15942,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -15976,12 +15994,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16001,28 +16013,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16049,12 +16067,6 @@ If you disable this policy setting, binary and script behaviors are not availabl If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16074,28 +16086,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16124,12 +16142,6 @@ If you disable this policy setting, a script cannot perform a clipboard operatio If you do not configure this policy setting, a script cannot perform a clipboard operation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16149,28 +16161,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16197,12 +16215,6 @@ If you disable this policy setting, users are prevented from dragging files or c If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16222,28 +16234,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16270,12 +16288,6 @@ If you disable this policy setting, files are prevented from being downloaded fr If you do not configure this policy setting, files are prevented from being downloaded from the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16295,28 +16307,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16343,12 +16361,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16368,28 +16380,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16416,12 +16434,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16441,28 +16453,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16489,12 +16507,6 @@ If you disable this policy setting, XAML files are not loaded inside Internet Ex If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16514,28 +16526,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16562,12 +16580,6 @@ If you disable this policy setting, a user's browser that loads a page containin If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16587,28 +16599,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16635,12 +16653,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16660,28 +16672,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16706,12 +16724,6 @@ If you enable this policy setting, the user is prompted before ActiveX controls If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16731,28 +16743,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16777,12 +16795,6 @@ If you enable this policy setting, the TDC ActiveX control will not run from web If you disable this policy setting, the TDC Active X control will run from all sites in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16802,28 +16814,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16850,12 +16868,6 @@ If you disable this policy setting, the possible harmful actions contained in sc If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16875,28 +16887,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16923,12 +16941,6 @@ If you disable this policy setting, script access to the WebBrowser control is n If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16948,28 +16960,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -16996,12 +17014,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17021,28 +17033,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -17071,12 +17089,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17096,28 +17108,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -17142,12 +17160,6 @@ If you enable this policy setting, script is allowed to update the status bar. If you disable or do not configure this policy setting, script is not allowed to update the status bar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17167,28 +17179,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -17215,12 +17233,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17240,28 +17252,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -17290,12 +17308,6 @@ If you selected Disable in the drop-down box, VBScript is prevented from running If you do not configure or disable this policy setting, VBScript is prevented from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17315,28 +17327,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -17363,12 +17381,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17388,28 +17400,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -17436,12 +17454,6 @@ If you disable the policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, signed controls cannot be downloaded. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17461,28 +17473,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -17509,12 +17527,6 @@ If you disable this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users cannot run unsigned controls. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17534,28 +17546,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -17580,12 +17598,6 @@ If you enable this policy setting, the XSS Filter is turned on for sites in this If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17605,28 +17617,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -17655,12 +17673,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17680,28 +17692,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -17730,12 +17748,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17755,28 +17767,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -17803,12 +17821,6 @@ If you disable this policy setting, the actions that may be harmful cannot run; If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17828,28 +17840,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -17876,12 +17894,6 @@ If you disable this policy setting, path information is removed when the user is If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17901,28 +17913,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -17951,12 +17969,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17976,28 +17988,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18030,12 +18048,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18055,28 +18067,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18103,12 +18121,6 @@ If you disable this policy setting, users are prevented from running application If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18128,28 +18140,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18184,12 +18202,6 @@ If you disable this policy setting, logon is set to Automatic logon only in Intr If you do not configure this policy setting, logon is set to Prompt for username and password. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18209,28 +18221,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18257,12 +18275,6 @@ If you disable this policy setting, users cannot open other windows and frames f If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18282,28 +18294,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18332,12 +18350,6 @@ If you disable this policy setting, controls and plug-ins are prevented from run If you do not configure this policy setting, controls and plug-ins are prevented from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18357,28 +18369,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18405,12 +18423,6 @@ If you disable this policy setting, Internet Explorer will not execute signed ma If you do not configure this policy setting, Internet Explorer will not execute signed managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18430,28 +18442,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18480,12 +18498,6 @@ If you disable this policy setting, script interaction is prevented from occurri If you do not configure this policy setting, script interaction is prevented from occurring. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18505,28 +18517,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18555,12 +18573,6 @@ If you disable this policy setting, scripts are prevented from accessing applets If you do not configure this policy setting, scripts are prevented from accessing applets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18580,28 +18592,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18628,12 +18646,6 @@ If you disable this policy setting, these files do not open. If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18653,28 +18665,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18701,12 +18719,6 @@ If you disable this policy setting, Protected Mode is turned off. The user canno If you do not configure this policy setting, the user can turn on or turn off Protected Mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18726,28 +18738,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18774,12 +18792,6 @@ If you disable this policy setting, pop-up windows are not prevented from appear If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18799,28 +18811,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18847,12 +18865,6 @@ If you disable this policy setting, scripts can continue to create popup windows If you do not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18872,28 +18884,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18918,12 +18936,6 @@ If you enable this policy setting, the user cannot configure the list of search If you disable or do not configure this policy setting, the user can configure his or her list of search providers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18943,28 +18955,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -18992,12 +19010,6 @@ This policy is intended to ensure that security zone settings apply uniformly to Also, see the "Security zones: Do not allow users to change policies" policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19017,28 +19029,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark7YesYes
    Businesscheck mark7YesYes
    Enterprisecheck mark7YesYes
    Educationcheck mark7YesYes
    @@ -19066,12 +19084,6 @@ If you disable, or not configure this setting, then it opens all sites based on > If you have also enabled the [InternetExplorer/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy setting, then all intranet sites will continue to open in Internet Explorer 11. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19111,28 +19123,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -19157,12 +19175,6 @@ If you enable this policy setting, ActiveX controls are installed only if the Ac If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19182,28 +19194,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -19230,12 +19248,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19255,28 +19267,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -19303,12 +19321,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19328,28 +19340,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -19374,12 +19392,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19399,28 +19411,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -19447,12 +19465,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19472,28 +19484,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -19520,12 +19538,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19545,28 +19557,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -19593,12 +19611,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19618,28 +19630,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -19666,12 +19684,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19691,28 +19703,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -19741,12 +19759,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19766,28 +19778,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -19814,12 +19832,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19839,28 +19851,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -19887,12 +19905,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19912,28 +19924,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -19962,12 +19980,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19987,28 +19999,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -20041,12 +20059,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Low Safety. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -20066,28 +20078,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -20114,12 +20132,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -20132,15 +20144,5 @@ ADMX Info:
    -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 863153876a..d51018a42a 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -44,6 +44,13 @@ manager: dansimp +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
    @@ -104,12 +111,6 @@ If you enable this policy setting, the Kerberos client searches the forests in t If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -179,12 +180,6 @@ If you enable this policy setting, the client computers will request claims, pro If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -263,12 +258,6 @@ If you disable or do not configure this policy, each algorithm will assume the * More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -344,12 +333,6 @@ If you enable this policy setting, the client computers in the domain enforce th If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -420,12 +403,6 @@ If you enable this policy setting, the Kerberos client requires that the KDC's X If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -501,12 +478,6 @@ If you disable or do not configure this policy setting, the Kerberos client or s > This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -587,16 +558,5 @@ Devices joined to Azure Active Directory in a hybrid environment need to interac
    -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index b7c4328ba0..76dcd8f06b 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -57,28 +57,34 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    @@ -95,7 +101,7 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic -Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. +List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -111,28 +117,34 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    @@ -149,7 +161,7 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL -Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. +List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -165,28 +177,34 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    @@ -203,7 +221,7 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s -Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart. +Configures the default URL kiosk browsers to navigate on launch and restart. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -219,28 +237,34 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    @@ -270,28 +294,34 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    @@ -308,7 +338,7 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki -Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. +Enable/disable kiosk browser's home button. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -324,28 +354,34 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    @@ -362,7 +398,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. -Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back). +Enable/disable kiosk browser's navigation buttons (forward/back). > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -378,28 +414,34 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation but - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    @@ -416,7 +458,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation but -Added in Windows 10, version 1803. Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. +Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. @@ -427,15 +469,4 @@ The value is an int 1-1440 that specifies the amount of minutes the session is i
    -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index f7c4cf4015..fd3a136e36 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    @@ -74,7 +80,7 @@ manager: dansimp -Added in Windows 10, version 1803. This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. +This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. @@ -98,16 +104,5 @@ This setting supports a range of values between 0 and 1.
    -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 3bc05c7260..518cd8ad84 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -39,28 +39,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark1YesYes
    Businesscheck mark1YesYes
    Enterprisecheck mark1YesYes
    Educationcheck mark1YesYes
    @@ -77,7 +83,7 @@ manager: dansimp -Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices. +Enables or Disable Windows license reactivation on managed devices. @@ -105,28 +111,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark1YesYes
    Businesscheck mark1YesYes
    Enterprisecheck mark1YesYes
    Educationcheck mark1YesYes
    @@ -143,7 +155,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. +Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. @@ -164,16 +176,6 @@ The following list shows the supported values:
    -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 1c0cdcacb8..0dac27d890 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -3798,15 +3798,5 @@ The following list shows the supported values:
    -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 5f21ba8658..523f62fb82 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -34,28 +34,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark9YesYes
    Businesscheck mark9YesYes
    Enterprisecheck mark9YesYes
    Educationcheck mark9YesYes
    @@ -72,7 +78,7 @@ manager: dansimp -Available in Windows 10, version 20H2. This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. +This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. > [!NOTE] > The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. @@ -313,8 +319,5 @@ To troubleshoot Name/SID lookup APIs: ``` -Footnotes: - -Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index 774ac1a21f..3300c86079 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - LockDown -
    @@ -36,28 +35,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark1YesYes
    Businesscheck mark1YesYes
    Enterprisecheck mark1YesYes
    Educationcheck mark1YesYes
    @@ -74,7 +79,7 @@ manager: dansimp -Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch. +Allows the user to invoke any system user interface by swiping in from any screen edge using touch. The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled. @@ -97,16 +102,5 @@ The following list shows the supported values:
    -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - From 8af95e7302cc43c0fc6734445a80b4973f19fdf3 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 29 Sep 2021 13:31:15 +0530 Subject: [PATCH 05/33] Checking Acrolinx score for this file --- windows/client-management/mdm/policy-csp-internetexplorer.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 3d06d6810d..df389346d7 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -20144,5 +20144,4 @@ ADMX Info:
    - \ No newline at end of file From 60fe20fc33a6b8fbce9df899352b79b17abbd700 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Wed, 29 Sep 2021 16:44:59 +0530 Subject: [PATCH 06/33] Updated --- .../mdm/policy-csp-credentialsdelegation.md | 43 +- .../mdm/policy-csp-credentialsui.md | 72 +- .../mdm/policy-csp-cryptography.md | 51 +- .../mdm/policy-csp-dataprotection.md | 51 +- .../mdm/policy-csp-datausage.md | 44 +- .../mdm/policy-csp-defender.md | 887 ++++++++++++------ .../mdm/policy-csp-deliveryoptimization.md | 631 ++++++++----- .../mdm/policy-csp-desktop.md | 44 +- .../mdm/policy-csp-deviceguard.md | 98 +- .../mdm/policy-csp-devicehealthmonitoring.md | 72 +- .../mdm/policy-csp-deviceinstallation.md | 272 +++--- .../mdm/policy-csp-devicelock.md | 313 +++--- .../mdm/policy-csp-display.md | 114 ++- .../mdm/policy-csp-dmaguard.md | 30 +- .../mdm/policy-csp-education.md | 101 +- 15 files changed, 1729 insertions(+), 1094 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index d4806508e7..a02c13b489 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - CredentialsDelegation +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -36,31 +42,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -83,12 +96,7 @@ If you enable this policy setting, the host supports Restricted Admin or Remote If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -101,16 +109,7 @@ ADMX Info:
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index 5fdff42127..0d294e4618 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -14,7 +14,12 @@ manager: dansimp # Policy CSP - CredentialsUI - +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -39,31 +44,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -89,12 +101,7 @@ By default, the password reveal button is displayed after a user types a passwor The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -114,31 +121,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -159,12 +173,7 @@ If you enable this policy setting, all local administrator accounts on the PC wi If you disable this policy setting, users will always be required to type a user name and password to elevate. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -177,16 +186,7 @@ ADMX Info:
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 88e34b4df9..66af935c69 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -39,31 +39,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -108,31 +115,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -164,16 +178,7 @@ Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index afbff9a990..ed9a1f87c4 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -39,31 +39,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -99,31 +106,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -150,15 +164,6 @@ Setting used by Windows 8.1 Selective Wipe.
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 652bf56c3c..9fcd657539 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -14,7 +14,12 @@ manager: dansimp # Policy CSP - DataUsage - +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -52,31 +57,38 @@ This policy is deprecated in Windows 10, version 1809. - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -103,12 +115,7 @@ If this policy setting is enabled, a drop-down list box presenting possible cost If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -121,16 +128,7 @@ ADMX Info:
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index c7445826de..fddac52c0c 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -156,31 +156,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -226,31 +233,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -296,31 +310,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -367,31 +388,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -437,31 +465,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -507,31 +542,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -577,31 +619,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -647,31 +696,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -709,31 +765,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -779,31 +842,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -849,31 +919,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -919,31 +996,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -981,31 +1065,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -1051,31 +1142,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark3YesYes
    Procheck mark3YesYes
    Businesscheck mark3YesYes
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -1093,7 +1191,7 @@ The following list shows the supported values: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe".. +This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe".. Value type is string. @@ -1117,31 +1215,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark3YesYes
    Procheck mark3YesYes
    Businesscheck mark3YesYes
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -1159,7 +1264,7 @@ ADMX Info: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. +This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction). @@ -1185,31 +1290,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -1256,31 +1368,38 @@ Valid values: 0–100 - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark5YesYes
    Procheck mark5YesYes
    Businesscheck mark5YesYes
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -1338,31 +1457,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark3YesYes
    Procheck mark3YesYes
    Businesscheck mark3YesYes
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -1380,7 +1506,7 @@ ADMX Info: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. +This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. @@ -1418,31 +1544,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark3YesYes
    Procheck mark3YesYes
    Businesscheck mark3YesYes
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -1459,7 +1592,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. +This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. @@ -1488,31 +1621,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark3YesYes
    Procheck mark3YesYes
    Businesscheck mark3YesYes
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -1551,31 +1691,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark3YesYes
    Procheck mark3YesYes
    Businesscheck mark3YesYes
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -1592,7 +1739,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. -Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. +This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. @@ -1614,31 +1761,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -1685,31 +1839,38 @@ Valid values: 0–90 - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark5YesYes
    Procheck mark5YesYes
    Businesscheck mark5YesYes
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -1765,31 +1926,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark5YesYes
    Procheck mark5YesYes
    Businesscheck mark5YesYes
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -1845,31 +2013,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark3YesYes
    Procheck mark3YesYes
    Businesscheck mark3YesYes
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -1886,7 +2061,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess. -Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. +This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. @@ -1916,31 +2091,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark5YesYes
    Procheck mark5YesYes
    Businesscheck mark5YesYes
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -1994,31 +2176,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark3YesYes
    Procheck mark3YesYes
    Businesscheck mark3YesYes
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -2035,7 +2224,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. +This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit. If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center. @@ -2071,31 +2260,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -2135,31 +2331,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -2199,31 +2402,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -2269,31 +2479,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -2311,7 +2528,7 @@ ADMX Info: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. +Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. > [!NOTE] > Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). @@ -2344,31 +2561,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -2419,31 +2643,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -2490,31 +2721,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -2567,31 +2805,38 @@ Valid values: 0–1380 - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -2648,31 +2893,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -2725,31 +2977,38 @@ Valid values: 0–1380. - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark5YesYes
    Procheck mark5YesYes
    Businesscheck mark5YesYes
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -2809,31 +3068,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark5YesYes
    Procheck mark5YesYes
    Businesscheck mark5YesYes
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -2888,31 +3154,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -2963,31 +3236,38 @@ Valid values: 0–24. - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -3036,31 +3316,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -3111,16 +3398,6 @@ ADMX Info:
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. -- 9 - Available in Windows 10, version 20H2. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index a1644a0373..b889259061 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -14,6 +14,13 @@ manager: dansimp # Policy CSP - DeliveryOptimization +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
    @@ -123,31 +130,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark1YesYes
    Businesscheck mark1YesYes
    Enterprisecheck mark1YesYes
    Educationcheck mark1YesYes
    +
    @@ -165,7 +179,7 @@ manager: dansimp > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space. +Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space. The default value is 10. @@ -189,31 +203,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark2YesYes
    Businesscheck mark2YesYes
    Enterprisecheck mark2YesYes
    Educationcheck mark2YesYes
    +
    @@ -231,7 +252,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. +Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. @@ -260,31 +281,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark5YesYes
    Businesscheck mark5YesYes
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -332,31 +360,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark8YesYes
    Businesscheck mark8YesYes
    Enterprisecheck mark8YesYes
    Educationcheck mark8YesYes
    +
    @@ -412,31 +447,38 @@ When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 a - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    +
    @@ -450,7 +492,7 @@ When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 a -Added in Windows 10, version 1803. This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. +This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from peers. Note that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 hour (3600). @@ -474,31 +516,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    +
    @@ -547,31 +596,38 @@ Supported values: 0 - one month (in seconds) - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    +
    @@ -618,31 +674,38 @@ Supported values: 0 - one month (in seconds) - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    +
    @@ -656,7 +719,7 @@ Supported values: 0 - one month (in seconds) -Added in Windows 10, version 1803. This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. +This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers. @@ -692,31 +755,38 @@ The following list shows the supported values as number of seconds: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -766,31 +836,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -833,31 +910,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    +
    @@ -871,7 +955,7 @@ ADMX Info: -Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. +Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. @@ -913,31 +997,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark8YesYes
    Businesscheck mark8YesYes
    Enterprisecheck mark8YesYes
    Educationcheck mark8YesYes
    +
    @@ -975,28 +1066,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    @@ -1041,31 +1138,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -1130,31 +1234,38 @@ This policy is deprecated. Use [DOMaxForegroundDownloadBandwidth](#deliveryoptim - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark8YesYes
    Businesscheck mark8YesYes
    Enterprisecheck mark8YesYes
    Educationcheck mark8YesYes
    +
    @@ -1211,31 +1322,38 @@ This policy is deprecated because it only applies to uploads to Internet peers ( - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark1YesYes
    Businesscheck mark1YesYes
    Enterprisecheck mark1YesYes
    Educationcheck mark1YesYes
    +
    @@ -1253,7 +1371,7 @@ This policy is deprecated because it only applies to uploads to Internet peers ( > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. +Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 500. @@ -1277,31 +1395,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark2YesYes
    Businesscheck mark2YesYes
    Enterprisecheck mark2YesYes
    Educationcheck mark2YesYes
    +
    @@ -1318,7 +1443,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery. +Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery. The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used. @@ -1342,31 +1467,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark2YesYes
    Businesscheck mark2YesYes
    Enterprisecheck mark2YesYes
    Educationcheck mark2YesYes
    +
    @@ -1384,7 +1516,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB. +Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB. > [!NOTE] > If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. @@ -1411,31 +1543,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark2YesYes
    Businesscheck mark2YesYes
    Enterprisecheck mark2YesYes
    Educationcheck mark2YesYes
    +
    @@ -1453,7 +1592,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. +Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB. @@ -1477,31 +1616,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark2YesYes
    Businesscheck mark2YesYes
    Enterprisecheck mark2YesYes
    Educationcheck mark2YesYes
    +
    @@ -1519,7 +1665,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. +Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB. @@ -1543,31 +1689,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark1YesYes
    Businesscheck mark1YesYes
    Enterprisecheck mark1YesYes
    Educationcheck mark1YesYes
    +
    @@ -1585,7 +1738,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. +Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. By default, %SystemDrive% is used to store the cache. @@ -1609,31 +1762,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark1YesYes
    Businesscheck mark1YesYes
    Enterprisecheck mark1YesYes
    Educationcheck mark1YesYes
    +
    @@ -1651,7 +1811,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. +Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set. @@ -1677,31 +1837,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    +
    @@ -1715,7 +1882,7 @@ ADMX Info: -Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. +Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. Note that downloads from LAN peers will not be throttled even when this policy is set. @@ -1752,31 +1919,38 @@ This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryopt - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    +
    @@ -1790,7 +1964,7 @@ This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryopt -Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. +Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. Note that downloads from LAN peers will not be throttled even when this policy is set. @@ -1814,31 +1988,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    +
    @@ -1852,7 +2033,7 @@ ADMX Info: -Added in Windows 10, version 1803. Set this policy to restrict peer selection via selected option. +Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask (more options will be added in a future release). Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2). @@ -1883,31 +2064,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    +
    @@ -1921,15 +2109,10 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. +Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1957,31 +2140,38 @@ This policy allows an IT Admin to define the following: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    +
    @@ -1995,15 +2185,10 @@ This policy allows an IT Admin to define the following: -Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. +Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2024,16 +2209,6 @@ This policy allows an IT Admin to define the following:
    -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 9a3bcc48ee..1c8ca1f094 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -14,7 +14,12 @@ manager: dansimp # Policy CSP - Desktop - +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -36,31 +41,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscross markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -81,12 +93,7 @@ By default, a user can change the location of their individual profile folders l If you enable this setting, users are unable to type a new location in the Target box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -99,16 +106,7 @@ ADMX Info:
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 157279f8f5..a7b099ab6f 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -44,31 +44,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procross markNoNo
    Businesscross markNoNo
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -121,31 +128,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procross markNoNo
    Businesscross markNoNo
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -159,7 +173,7 @@ ADMX Info: -Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. +Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. @@ -187,31 +201,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procross markNoNo
    Businesscross markNoNo
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -225,7 +246,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. +This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. @@ -255,28 +276,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procross markNoNo
    Businesscross markNoNo
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    @@ -293,7 +320,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. +Specifies the platform security level at the next reboot. Value type is integer. @@ -315,15 +342,6 @@ The following list shows the supported values:
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 35190895c9..2d0bfe0011 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -42,31 +42,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    +
    @@ -106,31 +113,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    +
    @@ -169,31 +183,38 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    +
    @@ -225,16 +246,7 @@ In most cases, an IT Pro does not need to define this policy. Instead, it is exp
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 013edacaec..c14144ccd7 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -14,6 +14,13 @@ ms.localizationpriority: medium # Policy CSP - DeviceInstallation +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
    @@ -59,31 +66,38 @@ ms.localizationpriority: medium - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark5YesYes
    Businesscheck mark5YesYes
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -120,12 +134,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -183,31 +192,38 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    +
    @@ -216,7 +232,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and > [!div class = "checklist"] > * Device -Added in Windows 10, version 1903. Also available in Windows 10, version 1809. +
    @@ -244,12 +260,7 @@ If you disable or do not configure this policy setting, and no other policy sett Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -304,31 +315,38 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark5YesYes
    Businesscheck mark5YesYes
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -367,12 +385,7 @@ If you disable or do not configure this policy setting, and no other policy sett Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -437,31 +450,38 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark5YesYes
    Businesscheck mark5YesYes
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -500,12 +520,7 @@ Device instance IDs > Device IDs > Device setup class > Removable devices If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -564,31 +579,38 @@ You can also change the evaluation order of device installation policy settings - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark5YesYes
    Businesscheck mark5YesYes
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -609,12 +631,7 @@ If you enable this policy setting, Windows does not retrieve device metadata for If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -643,31 +660,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark5YesYes
    Businesscheck mark5YesYes
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -691,12 +715,7 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -758,31 +777,38 @@ You can also block installation by using a custom profile in Intune. - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -808,12 +834,7 @@ If you disable or do not configure this policy setting, devices can be installed Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -878,31 +899,38 @@ For example, this custom profile blocks installation and usage of USB devices wi - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark6YesYes
    Businesscheck mark6YesYes
    Enterprisecheck mark6YesYes
    Educationcheck mark6YesYes
    +
    @@ -916,7 +944,7 @@ For example, this custom profile blocks installation and usage of USB devices wi -Added in Windows 10, version 1903. Also available in Windows 10, version 1809. This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. @@ -925,12 +953,7 @@ If you disable or do not configure this policy setting, devices can be installed Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1005,31 +1028,38 @@ with - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -1055,12 +1085,7 @@ If you disable or do not configure this policy setting, Windows can install and Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1117,15 +1142,6 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 3df3e81293..0288d5c9c7 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -75,31 +75,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procross markNoNo
    Businesscross markNoNo
    Enterprisecross markNoNo
    Educationcross markNoNo
    +
    @@ -139,31 +146,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -204,31 +218,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -247,7 +268,7 @@ Determines the type of PIN required. This policy only applies if the **DeviceLoc > [!NOTE] > This policy must be wrapped in an Atomic command. > -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education). +> Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education). @@ -275,31 +296,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -318,7 +346,7 @@ Specifies whether device lock is enabled. > [!NOTE] > This policy must be wrapped in an Atomic command. > -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. +> Always use the Replace command instead of Add for this policy in Windows for desktop editions. @@ -374,31 +402,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -441,31 +476,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -508,31 +550,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark1YesYes
    Procheck mark1YesYes
    Businesscheck mark1YesYes
    Enterprisecheck mark1YesYes
    Educationcheck mark1YesYes
    +
    @@ -546,7 +595,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. +Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. > [!NOTE] > This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro. @@ -565,31 +614,38 @@ Value type is a string, which is the full image filepath and filename. - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -639,31 +695,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -707,31 +770,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -750,7 +820,7 @@ The number of complex element types (uppercase and lowercase letters, numbers, a > [!NOTE] > This policy must be wrapped in an Atomic command. > -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. +> Always use the Replace command instead of Add for this policy in Windows for desktop editions. PIN enforces the following behavior for desktop and mobile devices: @@ -829,31 +899,38 @@ For additional information about this policy, see [Exchange ActiveSync Policy En - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -872,7 +949,7 @@ Specifies the minimum number or characters required in the PIN or password. > [!NOTE] > This policy must be wrapped in an Atomic command. > -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. +> Always use the Replace command instead of Add for this policy in Windows for desktop editions. @@ -922,31 +999,38 @@ The following example shows how to set the minimum password length to 4 characte - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark3YesYes
    Procheck mark3YesYes
    Businesscheck mark3YesYes
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -983,31 +1067,38 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markNoNo
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -1053,31 +1144,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck markYesYes
    Procheck markYesYes
    Businesscheck markYesYes
    Enterprisecheck markYesYes
    Educationcheck markYesYes
    +
    @@ -1117,15 +1215,6 @@ ADMX Info:
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 12a6952ffa..d24d5b7075 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -48,31 +48,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    +
    @@ -108,31 +115,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    +
    @@ -188,31 +202,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark4YesYes
    Businesscheck mark4YesYes
    Enterprisecheck mark4YesYes
    Educationcheck mark4YesYes
    +
    @@ -248,31 +269,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark2YesYes
    Businesscheck mark2YesYes
    Enterprisecheck mark2YesYes
    Educationcheck mark2YesYes
    +
    @@ -323,31 +351,38 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark2YesYes
    Businesscheck mark2YesYes
    Enterprisecheck mark2YesYes
    Educationcheck mark2YesYes
    +
    @@ -391,16 +426,7 @@ To validate on Desktop, do the following:
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 2ca5164a50..e16f8e14e9 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -35,31 +35,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark5YesYes
    Businesscheck mark5YesYes
    Enterprisecheck mark5YesYes
    Educationcheck mark5YesYes
    +
    @@ -111,15 +118,6 @@ ADMX Info:
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 7d2b8ebb1e..42ade7935c 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -44,31 +44,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecheck mark8YesYes
    Procheck mark8YesYes
    Businesscheck mark8YesYes
    Enterprisecheck mark8YesYes
    Educationcheck mark8YesYes
    +
    @@ -82,7 +89,7 @@ manager: dansimp -Added in Windows 10, version 2004. This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality. +This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality. ADMX Info: @@ -107,31 +114,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark3YesYes
    Businesscheck mark3YesYes
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -145,7 +159,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer. +This policy allows IT Admins to set the user's default printer. The policy value is expected to be the name (network host name) of an installed printer. @@ -160,31 +174,38 @@ The policy value is expected to be the name (network host name) of an installed - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark3YesYes
    Businesscheck mark3YesYes
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -198,7 +219,7 @@ The policy value is expected to be the name (network host name) of an installed -Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings. +Allows IT Admins to prevent user installation of additional printers from the printers settings. @@ -226,31 +247,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
    Windows EditionSupported?EditionWindows 10Windows 11
    Homecross markNoNo
    Procheck mark3YesYes
    Businesscheck mark3YesYes
    Enterprisecheck mark3YesYes
    Educationcheck mark3YesYes
    +
    @@ -264,7 +292,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names). +Allows IT Admins to automatically provision printers based on their names (network host names). The policy value is expected to be a `````` separated list of printer names. The OS will attempt to search and install the matching printer driver for each listed printer. @@ -272,16 +300,7 @@ The policy value is expected to be a `````` separated list of printer na
    -Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. From eb7a3e90be308b89390132003127536f69e9303e Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 29 Sep 2021 08:38:18 -0700 Subject: [PATCH 07/33] updating one file as a test --- windows/deployment/update/waas-delivery-optimization.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index ab8834382a..423c1dc58e 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -21,7 +21,8 @@ ms.custom: seo-marvel-apr2020 **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). From 55cd2d95d797a9c18affdcbca11eea94e654cdc6 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 29 Sep 2021 08:58:58 -0700 Subject: [PATCH 08/33] remainder of Delivery Optimization updates --- .../update/delivery-optimization-proxy.md | 5 +- .../update/delivery-optimization-workflow.md | 4 +- .../waas-delivery-optimization-reference.md | 11 ++- .../waas-delivery-optimization-setup.md | 5 +- .../update/waas-delivery-optimization.md | 77 +++---------------- 5 files changed, 29 insertions(+), 73 deletions(-) diff --git a/windows/deployment/update/delivery-optimization-proxy.md b/windows/deployment/update/delivery-optimization-proxy.md index 5e3fa30528..a03d3f5fb1 100644 --- a/windows/deployment/update/delivery-optimization-proxy.md +++ b/windows/deployment/update/delivery-optimization-proxy.md @@ -15,7 +15,10 @@ ms.topic: article # Using a proxy with Delivery Optimization -**Applies to**: Windows 10 +**Applies to** + +- Windows 10 +- Windows 11 When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls. diff --git a/windows/deployment/update/delivery-optimization-workflow.md b/windows/deployment/update/delivery-optimization-workflow.md index 4336f3ab23..4b2a35812c 100644 --- a/windows/deployment/update/delivery-optimization-workflow.md +++ b/windows/deployment/update/delivery-optimization-workflow.md @@ -17,8 +17,8 @@ ms.topic: article **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 ## Download request workflow diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index df12b64c2c..47e7f5cd13 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -20,6 +20,7 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows 10 +- Windows 11 > **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). @@ -116,6 +117,9 @@ Download mode dictates which download sources clients are allowed to use when do | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | +> [!NOTE] +> Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of Download Mode is no longer used. + >[!NOTE] >Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group. @@ -160,7 +164,7 @@ In environments configured for Delivery Optimization, you might want to set an e ### Max Cache Size -This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. +This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. ### Absolute Max Cache Size @@ -197,8 +201,9 @@ Starting in Windows 10, version 1803, specifies the maximum background download Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. ### Select a method to restrict peer selection -Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. -Currently the only available option is **1 = Subnet mask**. The subnet mask option applies to both Download Modes LAN (1) and Group (2). +Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). + +When you set option 0, Delivery Optimization will find peers behind the same NAT (same public IP) but still prioritize same subnet peers. When you set option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). When GroupID mode is set, it will default to using the same subnet. If you want to use the GroupID across subnets, use the NAT option = 0. ### Delay background download from http (in secs) Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index ef3f3040cc..b15133d690 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -2,7 +2,7 @@ title: Set up Delivery Optimization ms.reviewer: manager: laurawi -description: In this article, learn how to set up Delivery Optimization, a new peer-to-peer distribution method in Windows 10. +description: In this article, learn how to set up Delivery Optimization. keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy @@ -15,11 +15,12 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Set up Delivery Optimization for Windows 10 updates +# Set up Delivery Optimization for Windows client updates **Applies to** - Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 423c1dc58e..c6738e732c 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -1,5 +1,5 @@ --- -title: Delivery Optimization for Windows 10 updates +title: Delivery Optimization for Windows client updates manager: laurawi description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10. keywords: oms, operations management suite, wdav, updates, downloads, log analytics @@ -16,13 +16,12 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Delivery Optimization for Windows 10 updates - +# Delivery Optimization for Windows client updates **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). @@ -30,44 +29,17 @@ Windows updates, upgrades, and applications can contain packages with very large Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet. -For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). +For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). >[!NOTE] >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. -## New in Windows 10, version 2004 +## New in Windows 10, version 20H2 and Windows 11 -- Enterprise network throttling: new settings have been added in Group Policy and mobile device management (MDM) to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface: - - ![absolute bandwidth settings in delivery optimization interface.](images/DO-absolute-bandwidth.png) - -- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache). - -- New options for [`Get-DeliveryOptimizationPerfSnap`](waas-delivery-optimization-setup.md#analyze-usage). - -- New cmdlets: - - `Enable-DeliveryOptimizationVerboseLogs` - - `Disable-DeliveryOptimizationVerboseLogs` - - `Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]` - -- New policy settings: - - [DOCacheHost](waas-delivery-optimization-reference.md#cache-server-hostname) - - [DOCacheHostSource](waas-delivery-optimization-reference.md#cache-server-hostname-source) - - [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs); replaces DOPercentageMaxDownloadBandwidth - - [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) - -- Removed policy settings (if you set these policies in Windows 10, 2004, they will have no effect): - - DOMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) or [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead. - - DOPercentageMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) or [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead. - - DOMaxUploadBandwidth - -- Support for new types of downloads: - - Office installs and updates - - Xbox game pass games - - MSIX apps (HTTP downloads only) - - Microsoft Edge browser installations and updates - - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) +- New peer selection options: Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). When you set Option 0, Delivery Optimization will find peers behind the same NAT (same public IP) but still prioritize same subnet peers. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). When GroupID mode is set, it will default to using the same subnet. If you want to use the GroupID across subnets, use the NAT option = 0. +- Local Peer Discovery: a new option for **Restrict Peer Selection By** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If you also enabled Group mode, Delivery Optimization will connect to locally discovered peers that are also part of the same group (that is, those which have the same Group ID). +- Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used. ## Requirements @@ -83,8 +55,8 @@ The following table lists the minimum Windows 10 version that supports Delivery | Download package | Minimum Windows version | |------------------|---------------| -| Windows 10 updates (feature updates and quality updates) | 1511 | -| Windows 10 drivers | 1511 | +| Windows client updates (feature updates and quality updates) | 1511 | +| Windows client drivers | 1511 | | Windows Store files | 1511 | | Windows Store for Business files | 1511 | | Windows Defender definition updates | 1511 | @@ -101,7 +73,7 @@ The following table lists the minimum Windows 10 version that supports Delivery -In Windows 10 Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. +In Windows client Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. For more information, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md). @@ -255,28 +227,3 @@ Check Delivery Optimization settings that could limit participation in peer cach - Enable peer caching while the device connects using VPN. - Allow uploads when the device is on battery while under the set battery level - - - -## Learn more - -[Windows 10, Delivery Optimization, and WSUS](/archive/blogs/mniehaus/windows-10-delivery-optimization-and-wsus-take-2) - - -## Related articles - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) From b66eef7c0a7dff33412897185c7f9d095dca80f7 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 29 Sep 2021 09:10:48 -0700 Subject: [PATCH 09/33] removing view parameter per suggestion --- windows/deployment/update/waas-delivery-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index c6738e732c..4909cdd452 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -215,7 +215,7 @@ Try a Telnet test between two devices on the network to ensure they can connect 2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success. > [!NOTE] -> You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection?view=windowsserver2019-ps) instead of Telnet to run the test. +> You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection) instead of Telnet to run the test. > **Test-NetConnection -ComputerName 192.168.9.17 -Port 7680** ### None of the computers on the network are getting updates from peers From 9dd415335b8fc5a56e6bbe5b0f38cafd56855172 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 29 Sep 2021 14:31:35 -0700 Subject: [PATCH 10/33] safety commit --- .../feature-update-maintenance-window.md | 4 +- .../get-started-updates-channels-tools.md | 30 ++-- .../update/how-windows-update-works.md | 2 +- .../deployment/update/plan-define-strategy.md | 17 +-- .../deployment/update/waas-configure-wufb.md | 72 ++++------ ...aas-deployment-rings-windows-10-updates.md | 2 + .../deployment/update/waas-integrate-wufb.md | 32 ++--- .../update/waas-manage-updates-wufb.md | 132 +++--------------- .../waas-optimize-windows-10-updates.md | 6 +- windows/deployment/update/waas-overview.md | 131 +++++------------ windows/deployment/update/waas-quick-start.md | 43 ++---- ...s-servicing-channels-windows-10-updates.md | 124 ++-------------- .../update/waas-servicing-differences.md | 1 + ...s-servicing-strategy-windows-10-updates.md | 43 ++---- windows/deployment/update/waas-wu-settings.md | 24 ++-- .../update/waas-wufb-group-policy.md | 44 ++---- windows/deployment/update/wufb-autoupdate.md | 2 +- windows/deployment/update/wufb-basics.md | 1 + .../update/wufb-compliancedeadlines.md | 110 +-------------- .../deployment/update/wufb-managedrivers.md | 2 +- .../deployment/update/wufb-manageupdate.md | 2 + windows/deployment/update/wufb-onboard.md | 1 + 22 files changed, 186 insertions(+), 639 deletions(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 771a7648f8..473abc5a46 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -13,7 +13,7 @@ ms.collection: M365-modern-desktop ms.topic: article ms.custom: seo-marvel-apr2020 --- - +{DELETE} # Deploy feature updates during maintenance windows **Applies to**: Windows 10 @@ -105,7 +105,7 @@ or documentation, even if Microsoft has been advised of the possibility of such ``` > [!NOTE] -> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. +> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for feature update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. ## Manually deploy feature updates diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md index b034e4e658..726454837e 100644 --- a/windows/deployment/update/get-started-updates-channels-tools.md +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -1,5 +1,5 @@ --- -title: Windows 10 updates, channels, and tools +title: Windows client updates, channels, and tools description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 @@ -12,7 +12,12 @@ manager: laurawi ms.topic: article --- -# Windows 10 updates, channels, and tools +# Windows client updates, channels, and tools + +**Applies to** + +- Windows 10 +- Windows 11 ## How Windows updates work @@ -30,34 +35,31 @@ version of the software. We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*. -- **Feature updates:** Released twice per year, during the first half and second half of each calendar year. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. -- **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously. +- **Feature updates:** Released as soon as they become available. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. +- **Quality updates:** Quality updates deliver both security and non-security fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously. - **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md). - **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not. - **Microsoft product updates:** These update other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools. - ## Servicing channels -Windows 10 offers three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows 10 "as a service," which conceives of deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. +There are three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows "as a service," which conceives of deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Endpoint Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization. -### Semi-annual Channel +### General Availability Channel -In the Semi-annual Channel, feature updates are available as soon as Microsoft releases them, twice per year. As long as a device isn't set to defer feature updates, any device using the Semi-annual Channel will install a feature update as soon as it's released. If you use Windows Update for Business, the Semi-annual Channel provides three months of additional total deployment time before being required to update to the next release. +In the General Availability Channel, feature updates are available as soon as Microsoft releases them. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release. -> [!NOTE] -> All releases of Windows 10 have **18 months of servicing for all editions**--these updates provide security and feature updates for the release. However, fall releases of the **Enterprise and Education editions** will have an **additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release**. This extended servicing window applies to Enterprise and Education editions starting with Windows 10, version 1607. ### Windows Insider Program for Business Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel: -- Windows Insider Fast -- Windows Insider Slow +- Windows Insider Dev +- Windows Insider Beta - Windows Insider Release Preview We recommend that you use the Windows Insider Release Preview channel for validation activities. @@ -67,10 +69,10 @@ We recommend that you use the Windows Insider Release Preview channel for valida The **Long-Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as ones that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSB releases service a special LTSB edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). -The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. +The General Availability Channel is the default servicing channel for all Windows devices except those with the LTSB edition installed. The following table shows the servicing channels available to each edition. -| Windows 10 edition | Semi-Annual Channel | Insider Program | Long-Term Servicing Channel | +| Edition | General Availability Channel | Insider Program | Long-Term Servicing Channel | | --- | --- | --- | --- | | Home | ![yes.](images/checkmark.png)|![no](images/crossmark.png) | ![no](images/crossmark.png)| | Pro | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)| diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index 1cb0a47bf7..821586a7d8 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -1,6 +1,6 @@ --- title: How Windows Update works -description: In this article, learn about the process Windows Update uses to download and install updates on a Windows 10 devices. +description: In this article, learn about the process Windows Update uses to download and install updates on a Windows client devices. ms.prod: w10 ms.mktglfcycl: audience: itpro diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index c18d2b0576..289cffc216 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -14,6 +14,11 @@ ms.collection: m365initiative-coredeploy # Define update strategy with a calendar +**Applies to** + +- Windows 10 +- Windows 11 + Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices. Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. @@ -21,7 +26,7 @@ Today, more organizations are treating deployment as a continual process of upda Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, and so you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly. ## Calendar approaches -You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates. +You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates. ### Annual Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Manager and Microsoft 365 Apps release cycles: @@ -38,14 +43,4 @@ This cadence might be most suitable for you if any of these conditions apply: - You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months). -### Rapid -This calendar shows an example schedule that installs each feature update as it is released, twice per year: -[ ![Update calendar showing a faster update cadence.](images/rapid-calendar.png) ](images/rapid-calendar.png#lightbox) - -This cadence might be best for you if these conditions apply: - -- You have a strong appetite for change. -- You want to continuously update supporting infrastructure and unlock new scenarios. -- Your organization has a large population of information workers that can use the latest features and functionality in Windows 10 and Office. -- You have experience with feature updates for Windows 10. diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index d0c4ab43af..0c557a1ac6 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Update for Business (Windows 10) +title: Configure Windows Update for Business ms.reviewer: manager: laurawi description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. @@ -19,13 +19,14 @@ ms.topic: article **Applies to** - Windows 10 +- Windows 11 - Windows Server 2016 - Windows Server 2019 +- Windows Server 2022 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). +You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). > [!IMPORTANT] > Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). @@ -33,7 +34,7 @@ You can use Group Policy or your mobile device management (MDM) service to confi ## Start by grouping devices -By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed in Windows 10. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. For more information, see [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md). +By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. >[!TIP] >In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). @@ -43,13 +44,13 @@ By grouping devices with similar deferral periods, administrators are able to cl ## Configure devices for the appropriate service channel -With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the Semi-Annual Channel servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). +With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the General Availability Channel servicing branch. For more information on this servicing model, see [Servicing channels](waas-overview.md#servicing-channels). **Release branch policies** | Policy | Sets registry key under HKLM\Software | | --- | --- | -| GPO for Windows 10, version 1607 or later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | +| GPO for Windows 10, version 1607 or later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when feature updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | | GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade | | MDM for Windows 10, version 1607 or later:
    ../Vendor/MSFT/Policy/Config/Update/
    **BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | | MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | @@ -64,9 +65,9 @@ Starting with Windows 10, version 1703, users can configure the branch readiness ## Configure when devices receive feature updates -After you configure the servicing branch (Windows Insider Preview or Semi-Annual Channel), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. +After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. -For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October. +For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.

    @@ -74,7 +75,7 @@ For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriod | Policy | Sets registry key under HKLM\Software | | --- | --- | -| GPO for Windows 10, version 1607 or later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
    \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | +| GPO for Windows 10, version 1607 or later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when feature updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
    \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | | GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod | | MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | | MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | @@ -84,7 +85,7 @@ For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriod ## Pause feature updates -You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, you can then pause Feature Updates for the device again. +You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again. Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. @@ -98,20 +99,20 @@ In cases where the pause policy is first applied after the configured start date | Policy | Sets registry key under HKLM\Software | | --- | --- | -| GPO for Windows 10, version 1607 or later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
    **1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime | +| GPO for Windows 10, version 1607 or later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when feature updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
    **1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime | | GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | | MDM for Windows 10, version 1607 or later:
    ../Vendor/MSFT/Policy/Config/Update/
    **PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
    **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime | | MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | -You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect whether the Feature Update pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking Feature Updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: +The local group policy editor (GPEdit.msc) will not reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | -| 0 | Feature Updates not paused | -| 1 | Feature Updates paused | -| 2 | Feature Updates have auto-resumed after being paused | +| 0 | feature updates not paused | +| 1 | feature updates paused | +| 2 | feature updates have auto-resumed after being paused | >[!NOTE] >If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**. @@ -122,9 +123,9 @@ Starting with Windows 10, version 1703, using Settings to control the pause beha - Any pending update installations are canceled. - Any update installation running when pause is activated will attempt to roll back. -## Configure when devices receive Quality Updates +## Configure when devices receive quality updates -Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. +Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. You can set your system to receive updates for other Microsoft products—known as Microsoft updates (such as Microsoft Office, Visual Studio)—along with Windows updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft updates will follow the same deferral and pause rules as all other quality updates. @@ -160,15 +161,15 @@ In cases where the pause policy is first applied after the configured start date | MDM for Windows 10, version 1607 or later:
    ../Vendor/MSFT/Policy/Config/Update/
    **PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates
    **1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime | | MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | -You can check the date that quality Updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect whether the quality Update pause period has expired. Although the device will resume quality Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: +The local group policy editor (GPEdit.msc) will not reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | -| 0 | Quality Updates not paused | -| 1 | Quality Updates paused | -| 2 | Quality Updates have auto-resumed after being paused | +| 0 | quality updates not paused | +| 1 | quality updates paused | +| 2 | quality updates have auto-resumed after being paused | >[!NOTE] >If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**. @@ -193,8 +194,8 @@ The **Manage preview builds** setting gives administrators control over enabling >* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds** >* MDM: **System/AllowBuildPreview** -The policy settings to **Select when Feature Updates are received** allows you to choose between preview flight rings, and allows you to defer or pause their delivery. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* +The policy settings to **Select when feature updates are received** allows you to choose between preview flight rings, and allows you to defer or pause their delivery. +* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and feature updates are received* * MDM: **Update/BranchReadinessLevel** ## Exclude drivers from quality updates @@ -216,7 +217,7 @@ The following are quick-reference tables of the supported policy values for Wind | GPO Key | Key type | Value | | --- | --- | --- | -| BranchReadinessLevel | REG_DWORD | 2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
    4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
    8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)
    16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-Annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-Annual Channel
    32: systems take Feature Updates from Semi-Annual Channel
    Note: Other value or absent: receive all applicable updates | +| BranchReadinessLevel | REG_DWORD | 2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
    4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
    8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709)

    Other value or absent: receive all applicable updates | | DeferQualityUpdates | REG_DWORD | 1: defer quality updates
    Other value or absent: don’t defer quality updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | | PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
    Other value or absent: don’t pause quality updates | @@ -230,7 +231,7 @@ The following are quick-reference tables of the supported policy values for Wind | MDM Key | Key type | Value | | --- | --- | --- | -| BranchReadinessLevel | REG_DWORD |2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
    4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
    8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)
    16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-Annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-Annual Channel
    32: systems take Feature Updates from Semi-Annual Channel
    Note: Other value or absent: receive all applicable updates | +| BranchReadinessLevel | REG_DWORD |2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
    4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
    8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709)
    32: systems take feature updates from General Availability Channel
    Note: Other value or absent: receive all applicable updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | | PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
    Other value or absent: don’t pause quality updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | @@ -253,20 +254,3 @@ When a device running a newer version sees an update available on Windows Update | PauseFeatureUpdates | PauseFeatureUpdatesStartTime | | PauseQualityUpdates | PauseQualityUpdatesStartTime | -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md index 4070bb332d..fcb4115629 100644 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md @@ -12,6 +12,8 @@ ms.collection: M365-modern-desktop ms.topic: article --- +{DELETE ALTOGETHER??} + # Build deployment rings for Windows client updates **Applies to** diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index 6460401d70..b5d5e02b67 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -1,5 +1,5 @@ --- -title: Integrate Windows Update for Business (Windows 10) +title: Integrate Windows Update for Business description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. ms.prod: w10 ms.mktglfcycl: manage @@ -17,6 +17,7 @@ ms.topic: article **Applies to** - Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -25,7 +26,7 @@ You can integrate Windows Update for Business deployments with existing manageme ## Integrate Windows Update for Business with Windows Server Update Services -For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup: +For Windows 10, version 1607 and later, devices can be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup: - Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy - All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies @@ -34,7 +35,7 @@ For Windows 10, version 1607, devices can now be configured to receive updates f **Configuration:** -- Device is configured to defer Windows Quality Updates using Windows Update for Business +- Device is configured to defer Windows quality updates using Windows Update for Business - Device is also configured to be managed by WSUS - Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled) - Admin has opted to put updates to Office and other products on WSUS @@ -46,11 +47,11 @@ For Windows 10, version 1607, devices can now be configured to receive updates f Third-party driversWSUSWSUSNo -### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business +### Configuration example \#2: Excluding drivers from Windows quality updates using Windows Update for Business **Configuration:** -- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled) +- Device is configured to defer Windows quality updates and to exclude drivers from Windows Update quality updates (**ExcludeWUDriversInQualityUpdate** = enabled) - Device is also configured to be managed by WSUS - Admin has opted to put Windows Update drivers on WSUS @@ -66,7 +67,7 @@ For Windows 10, version 1607, devices can now be configured to receive updates f **Configuration:** -- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS +- Device is configured to defer quality updates using Windows Update for Business and to be managed by WSUS - Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled) - Admin has also placed Microsoft Update, non-Microsoft, and locally published update content on the WSUS server @@ -86,26 +87,9 @@ In this example, the deferral behavior for updates to Office and other non-Windo ## Integrate Windows Update for Business with Microsoft Endpoint Configuration Manager -For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**. +For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**. ![Example of unknown devices.](images/wufb-sccm.png) For more information, see [Integration with Windows Update for Business in Windows 10](/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10). -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 850d6cec44..dea3bbba22 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -1,5 +1,5 @@ --- -title: Windows Update for Business (Windows 10) +title: Windows Update for Business ms.reviewer: manager: laurawi description: Learn how Windows Update for Business lets you manage when devices receive updates from Windows Update. @@ -18,14 +18,15 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows 10 +- Windows 11 -Windows Update for Business is a free service that is available for all premium editions including Windows 10 Pro, Enterprise, Pro for Workstation, and Education editions. +Windows Update for Business is a free service that is available for all premium editions including Windows 10 and Windows 11 Pro, Enterprise, Pro for Workstation, and Education editions. > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. +Windows Update for Business enables IT administrators to keep the Windows client devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when devices are updated. Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization. @@ -46,7 +47,7 @@ Windows Update for Business enables an IT administrator to receive and manage a Windows Update for Business provides management policies for several types of updates to Windows 10 devices: -- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released semi-annually in the fall and in the spring. +- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. - **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as updates for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. - **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. - **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies. @@ -62,16 +63,15 @@ You can defer or pause the installation of updates for a set period of time. The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates: -- Windows Insider Fast -- Windows Insider Slow -- Windows Insider Release Preview -- Semi-Annual Channel +- Windows Insider Dev +- Windows Insider Beta +- Windows Insider Preview +- General Availability Channel -Prior to Windows 10, version 1903, there are two channels for released updates: Semi-Annual Channel and Semi-Annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-Annual Channel. All deferral days are calculated against a release’s Semi-Annual Channel release date. For exact release dates, see [Windows Release Information](/windows/release-health/release-information). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. #### Defer an update -A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy. +A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy. |Category |Maximum deferral period | @@ -88,7 +88,7 @@ A Windows Update for Business administrator can defer the installation of both f If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. -To pause feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). +To pause feature updates, use the **Select when Preview Builds and feature updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). Built-in benefits: When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks. @@ -97,10 +97,10 @@ When updating from Windows Update, you get the added benefits of built-in compat For the best experience with Windows Update, follow these guidelines: -- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. -- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. -- Make sure that devices have at least 10 GB of free space. -- Give devices unobstructed access to the Windows Update service. +- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. +- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. +- Make sure that devices have at least 10 GB of free space. +- Give devices unobstructed access to the Windows Update service. ### Manage the end-user experience when receiving Windows Updates @@ -110,9 +110,9 @@ Windows Update for Business provides controls to help meet your organization’s Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features: -1. Automatically download, install, and restart (default if no restart policies are set up or enabled) -2. Use the default notifications -3. Set update deadlines +1. Automatically download, install, and restart (default if no restart policies are set up or enabled). +2. Use the default notifications. +3. Set update deadlines. ##### Setting deadlines @@ -121,101 +121,11 @@ A compliance deadline policy (released in June 2019) enables you to set separate This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This approach is useful in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation. #### Update Baseline -The large number of different policies offered for Windows 10 can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more. + +The large number of different policies offered can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more. The Update Baseline toolkit makes it easy by providing a single command for IT Admins to apply the Update Baseline to devices. You can get the Update Baseline toolkit from the [Download Center](https://www.microsoft.com/download/details.aspx?id=101056). >[!NOTE] ->The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when. +>The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when. Update Baseline is not currently supported for Windows 11. - ADMX Info: -- GP Friendly name: *Specify what to load in background (aka AutoLoad)* +- GP Friendly name: *Specify what to load in background (also known as AutoLoad)* - GP name: *Steaming_Autoload* - GP path: *System/App-V/Streaming* - GP ADMX file name: *appv.admx* From 88b3cf77573db7f440c837f47227932536865ead Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 1 Oct 2021 21:08:43 -0700 Subject: [PATCH 29/33] Corrected notes styles --- .../mdm/policy-csp-applicationmanagement.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index d7d387430b..933d541866 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -784,9 +784,11 @@ If you enable this policy setting, privileges are extended to all programs. Thes If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. -Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. +> [!NOTE] +> This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. -Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure. +> [!CAUTION] +> Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure. From 9b8a71cd04ce43a975d649b893ec5d302f6f1c5c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 1 Oct 2021 21:10:59 -0700 Subject: [PATCH 30/33] Corrected note style --- windows/client-management/mdm/policy-csp-bits.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 1e7659b25f..6d43ce5789 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -114,7 +114,8 @@ Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrott If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. -Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. +> [!NOTE] +> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). From be8a5242d634beef52d5d03334b95d77c5dbcbf6 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 1 Oct 2021 21:17:21 -0700 Subject: [PATCH 31/33] Replace non-functioning asterisk markup with HTML Markdown tends to fail when next to HTML tags, and these asterisks were next to an anchor tag. --- windows/client-management/mdm/policy-csp-browser.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 12da488189..adb1bec8af 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -4513,7 +4513,7 @@ Supported values:
    -**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge** +Browser/SyncFavoritesBetweenIEAndMicrosoftEdge From 7cdddd1f6c751d1b4e75205f49098f511c3847c9 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 1 Oct 2021 21:19:50 -0700 Subject: [PATCH 32/33] Corrected note style --- .../client-management/mdm/policy-csp-credentialproviders.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index a0cf427df5..d4a0c57801 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -99,7 +99,8 @@ If you enable this policy setting, a domain user can set up and sign in with a c If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN. -Note: The user's domain password will be cached in the system vault when using this feature. +> [!NOTE] +> The user's domain password will be cached in the system vault when using this feature. To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. From e5770c24d7b7e3aa01650a4f2f66685b475a2978 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 1 Oct 2021 21:26:58 -0700 Subject: [PATCH 33/33] Corrected note styles --- windows/client-management/mdm/policy-csp-bits.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 6d43ce5789..087a16f215 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -204,7 +204,8 @@ Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrott If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. -Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. +> [!NOTE] +> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). @@ -293,7 +294,8 @@ Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrott If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. -Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. +> [!NOTE] +> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).