2. Hold the **vol-up** button while pressing the **power** button to power on the device. Continue to hold **vol-up** until you see the Surface UEFI settings.
3. Under **Security** find the **Secure Boot** option and disable it.
4. With SecureBoot disabled choose **exit** -\> **restart now** to exit UEFI settings and reboot the device back to Windows.
5. Confirm that S mode is now properly enabled.
6. Once you’ve confirmed S mode, you should re-enable Secure Boot… repeat the above steps, choosing to **Enable** Secure Boot from the UEFI securitysettings. + +## Additional Info + +[Windows 10 deployment scenarios](https://docs.microsoft.com/en-us/windows/deployment/windows-10-deployment-scenarios) + +[Windows 10 deployment scenarios and tools](https://docs.microsoft.com/en-us/windows/deployment/windows-deployment-scenarios-and-tools) + +[Download and install the Windows ADK](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install) + +[Windows ADK for Windows 10 scenarios for IT Pros](https://docs.microsoft.com/en-us/windows/deployment/windows-adk-scenarios-for-it-pros) + +[Modify a Windows Image Using DISM](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) + +[Service a Windows Image Using DISM](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/service-a-windows-image-using-dism) + +[DISM Image Management Command-Line Options](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14) + diff --git a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md index 41afc5d8a5..3e9aff0890 100644 --- a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md +++ b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md @@ -7,12 +7,12 @@ ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 -ms.date: 07/18/2017 +ms.date: 08/23/2018 +ms.author: pashort --- -# High-Level Architecture of MBAM 2.5 with Configuration Manager Integration Topology - +# High-level architecture of MBAM 2.5 with Configuration Manager Integration topology This topic describes the recommended architecture for deploying Microsoft BitLocker Administration and Monitoring (MBAM) with the Configuration Manager Integration topology. This topology integrates MBAM with System Center Configuration Manager. To deploy MBAM with the Stand-alone topology, see [High-Level Architecture of MBAM 2.5 with Stand-alone Topology](high-level-architecture-of-mbam-25-with-stand-alone-topology.md). @@ -54,7 +54,7 @@ The recommended number of servers and supported number of clients in a productio -## Differences between Configuration Manager Integration and Stand-alone topologies +## Differences between Configuration Manager Integration and stand-alone topologies The main differences between the topologies are: @@ -70,15 +70,15 @@ The following diagram and table describe the recommended high-level architecture  -### Database Server +### Database server -#### Recovery Database +#### Recovery database This feature is configured on a computer running Windows Server and supported SQL Server instance. The **Recovery Database** stores recovery data that is collected from MBAM Client computers. -#### Audit Database +#### Audit database This feature is configured on a computer running Windows Server and supported SQL Server instance. @@ -90,7 +90,7 @@ This feature is configured on a computer running Windows Server and supported SQ The **Reports** provide recovery audit data for the client computers in your enterprise. You can view reports from the Configuration Manager console or directly from SQL Server Reporting Services. -### Configuration Manager Primary Site Server +### Configuration Manager primary site server System Center Configuration Manager Integration feature @@ -102,19 +102,19 @@ System Center Configuration Manager Integration feature - The **Configuration Manager console** must be installed on the same computer on which you install the MBAM Server software. -### Administration and Monitoring Server +### Administration and monitoring server -#### Administration and Monitoring Website +#### Administration and monitoring website This feature is configured on a computer running Windows Server. -The **Administration and Monitoring Website** is used to: +The **Administration and monitoring website** is used to: - Help end users regain access to their computers when they are locked out. (This area of the Website is commonly called the Help Desk.) - View the Recovery Audit Report, which shows recovery activity for client computers. Other reports are viewed from the Configuration Manager console. -#### Self-Service Portal +#### Self-service portal This feature is configured on a computer running Windows Server. @@ -126,21 +126,19 @@ This feature is installed on a computer running Windows Server. The **monitoring web services** are used by the MBAM Client and the websites to communicate to the database. -**Important** -The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database. +**Important**
The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM websites communicate directly with the Recovery Database. -### Management Workstation +### Management workstation -#### MBAM Group Policy Templates +#### MBAM group policy templates - The **MBAM Group Policy Templates** are Group Policy settings that define implementation settings for MBAM, which enable you to manage BitLocker drive encryption. - Before you run MBAM, you must download the Group Policy Templates from [How to Get MDOP Group Policy (.admx) Templates](https://go.microsoft.com/fwlink/p/?LinkId=393941) and copy them to a server or workstation that is running a supported Windows Server or Windows operating system. - **Note** - The workstation does not have to be a dedicated computer. + **NOTE**
The workstation does not have to be a dedicated computer. diff --git a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md index c494392cfe..1287ee6b02 100644 --- a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md +++ b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md @@ -109,7 +109,7 @@ This feature is configured on a computer running Windows Server. The **monitoring web services** are used by the MBAM Client and the websites to communicate to the database. **Important** -The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database. +The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM websites communicate directly with the Recovery Database. diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index f29b02af29..6d8716a698 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -8,7 +8,7 @@ ms.pagetype: mobile ms.author: elizapo author: lizap ms.localizationpriority: medium -ms.date: 07/10/2018 +ms.date: 08/23/2018 --- # Understand the different apps included in Windows 10 @@ -20,7 +20,7 @@ The following types of apps run on Windows 10: Digging into the Windows apps, there are two categories: - System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS. - Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps: - - Provisioned: Installed the first time you sign into Windows. You'll see a tile or Start menu item for these apps, but they aren't installed until the first sign-in. + - Provisioned: Installed in user account the first time you sign in with a new user account. - Installed: Installed as part of the OS. The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI. @@ -30,7 +30,7 @@ Some of the apps show up in multiple tables - that's because their status change > [!TIP] > Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet: > ```powershell -> Get-AppxPackage |Select Name,PackageFamilyName +> Get-AppxPackage | select Name,PackageFamilyName > Get-AppxProvisionedPackage -Online | select DisplayName,PackageName > ``` @@ -38,66 +38,116 @@ Some of the apps show up in multiple tables - that's because their status change System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803. -| Name | Full name |1703 | 1709 | 1803 |Uninstall through UI? | -|------------------|-------------------------------------------|:------:|:------:|:------:|-------------------------------------------------------| -| Cortana UI | CortanaListenUIApp | x | | |No | -| | Desktop Learning | x | | |No | -| | DesktopView | x | | |No | -| | EnvironmentsApp | x | | |No | -| Mixed Reality + | HoloCamera | x | | |No | -| Mixed Reality + | HoloItemPlayerApp | x | | |No | -| Mixed Reality + | HoloShell | x | | |No | -| | InputApp | | x | x |No | -| | Microsoft.AAD.Broker.Plugin | x | x | x |No | -| | Microsoft.AccountsControl | x | x | x |No | -| Hello setup UI | Microsoft.BioEnrollment | x | x | x |No | -| | Microsoft.CredDialogHost | x | x | x |No | -| | Microsoft.ECApp | | x | x |No | -| | Microsoft.LockApp | x | x | x |No | -| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x |No | -| | Microsoft.PPIProjection | x | x | x |No | -| | Microsoft.Windows. Apprep.ChxApp | x | x | x |No | -| | Microsoft.Windows. AssignedAccessLockApp | x | x | x |No | -| | Microsoft.Windows. CloudExperienceHost | x | x | x |No | -| | Microsoft.Windows. ContentDeliveryManager | x | x | x |No | -| Cortana | Microsoft.Windows.Cortana | x | x | x |No | -| | Microsoft.Windows. Holographic.FirstRun | x | x | x |No | -| | Microsoft.Windows. ModalSharePickerHost | x | | |No | -| | Microsoft.Windows. OOBENetworkCaptivePort | x | x | x |No | -| | Microsoft.Windows. OOBENetworkConnectionFlow | x | x | x |No | -| | Microsoft.Windows. ParentalControls | x | x | x |No | -| People Hub | Microsoft.Windows. PeopleExperienceHost | | x | x |No | -| | Microsoft.Windows. PinningConfirmationDialog | | x | x |No | -| | Microsoft.Windows. SecHealthUI | x | x | x |No | -| | Microsoft.Windows. SecondaryTileExperience | x | x | |No | -| | Microsoft.Windows. SecureAssessmentBrowser | x | x | x |No | -| Start | Microsoft.Windows. ShellExperienceHost | x | x | x |No | -| Windows Feedback | Microsoft.WindowsFeedback | * | * | |No | -| | Microsoft.XboxGameCallableUI | x | x | x |No | -| Contact Support* | Windows.ContactSupport | x | * | |Through the Optional Features app | -| Settings | Windows.ImmersiveControlPanel | x | x | |No | -| Connect | Windows.MiracastView | x | | |No | -| Print 3D | Windows.Print3D | | x | |Yes | -| Print UI | Windows.PrintDialog | x | x | x |No | -| Purchase UI | Windows.PurchaseDialog | | | x |No | -| | Microsoft.AsyncTextService | | | x |No | -| | Microsoft.MicrosoftEdgeDevToolsClient | | | x |No | -| | Microsoft.Win32WebViewHost | | | x |No | -| | Microsoft.Windows.CapturePicker | | | x |No | -| | Windows.CBSPreview | | | x |No | -|File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x |No | -|File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x |No | -|App Resolver | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x |No | -|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE|| | x |No | +| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? | +|------------------|--------------------------------------------|:----:|:----:|:----:|:----------------------------------:| +| Cortana UI | CortanaListenUIApp | x | | |No | +| | Desktop Learning | x | | |No | +| | DesktopView | x | | |No | +| | EnvironmentsApp | x | | |No | +| Mixed Reality + | HoloCamera | x | | |No | +| Mixed Reality + | HoloItemPlayerApp | x | | |No | +| Mixed Reality + | HoloShell | x | | |No | +| | InputApp | | x | x |No | +| | Microsoft.AAD.BrokerPlugin | x | x | x |No | +| | Microsoft.AccountsControl | x | x | x |No | +| Hello setup UI | Microsoft.BioEnrollment | x | x | x |No | +| | Microsoft.CredDialogHost | x | x | x |No | +| | Microsoft.ECApp | | x | x |No | +| | Microsoft.LockApp | x | x | x |No | +| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x |No | +| | Microsoft.PPIProjection | x | x | x |No | +| | Microsoft.Windows.Apprep.ChxApp | x | x | x |No | +| | Microsoft.Windows.AssignedAccessLockApp | x | x | x |No | +| | Microsoft.Windows.CloudExperienceHost | x | x | x |No | +| | Microsoft.Windows.ContentDeliveryManager | x | x | x |No | +| Cortana | Microsoft.Windows.Cortana | x | x | x |No | +| | Microsoft.Windows.Holographic.FirstRun | x | x | x |No | +| | Microsoft.Windows.ModalSharePickerHost | x | | |No | +| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x |No | +| | Microsoft.Windows.OOBENetworkConnectionFlow| x | x | x |No | +| | Microsoft.Windows.ParentalControls | x | x | x |No | +| People Hub | Microsoft.Windows.PeopleExperienceHost | | x | x |No | +| | Microsoft.Windows.PinningConfirmationDialog| | x | x |No | +| | Microsoft.Windows.SecHealthUI | x | x | x |No | +| | Microsoft.Windows.SecondaryTileExperience | x | x | |No | +| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x |No | +| Start | Microsoft.Windows.ShellExperienceHost | x | x | x |No | +| Windows Feedback | Microsoft.WindowsFeedback | * | * | |No | +| | Microsoft.XboxGameCallableUI | x | x | x |No | +| Contact Support\* | Windows.ContactSupport | x | * | |via Optional Features app | +| Settings | Windows.ImmersiveControlPanel | x | x | |No | +| Connect | Windows.MiracastView | x | | |No | +| Print 3D | Windows.Print3D | | x | |Yes | +| Print UI | Windows.PrintDialog | x | x | x |No | +| Purchase UI | Windows.PurchaseDialog | | | x |No | +| | Microsoft.AsyncTextService | | | x |No | +| | Microsoft.MicrosoftEdgeDevToolsClient | | | x |No | +| | Microsoft.Win32WebViewHost | | | x |No | +| | Microsoft.Windows.CapturePicker | | | x |No | +| | Windows.CBSPreview | | | x |No | +|File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x |No | +|File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x |No | +|App Resolver | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x |No | +|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE|| | x |No | + +>[!NOTE] +>\* The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). + +## Provisioned Windows apps + +Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803. + +| App Name (Canonical) | Display Name | 1703 | 1709 | 1803 | Uninstall via UI? | +|--------------------------------|------------------------|:-----:|:----:|:----:|:-----------------:| +| 3D Builder | [Microsoft.3DBuilder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | x | | | Yes | +| App Installer | [Microsoft.DesktopAppInstaller](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | Via Settings App | +| Feedback Hub | [Microsoft.WindowsFeedbackHub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | Yes | +| Get Help | [Microsoft.GetHelp](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | | x | x | No | +| Get Office | [Microsoft.MicrosoftOfficeHub](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | Yes | +| Groove Music | [Microsoft.ZuneMusic](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | No | +| Mail and Calendar | [Microsoft.windowscommunicationsapps](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | No | +| Microsoft Messaging | [Microsoft.Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | No | +| Microsoft People | [Microsoft.People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | No | +| Microsoft Photos | [Microsoft.Windows.Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | No | +| Microsoft Solitaire Collection | [Microsoft.MicrosoftSolitaireCollection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | Yes | +| Microsoft Sticky Notes | [Microsoft.MicrosoftStickyNotes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | No | +| Microsoft Tips | [Microsoft.Getstarted](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | Yes | +| Mixed Reality Viewer | [Microsoft.Microsoft3DViewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | No | +| Movies & TV | [Microsoft.ZuneVideo](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | No | +| MSN Weather (BingWeather | [Microsoft.BingWeather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | Yes | +| One Note | [Microsoft.Office.OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | Yes | +| Paid Wi-Fi & Cellular | [Microsoft.OneConnect](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | Yes | +| Paint 3D | [Microsoft.MSPaint](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | No | +| Print 3D | [Microsoft.Print3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | No | +| Skype | [Microsoft.SkypeApp](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | Yes | +| Store Purchase App\* | App not available in store | x | x | x | No | +| Wallet | App not available in store | x | x | x | No | +| Web Media Extensions | [Microsoft.WebMediaExtensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | | | x | No | +| Windows Alarms & Clock | [Microsoft.WindowsAlarms](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | No | +| Windows Calculator | [Microsoft.WindowsCalculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | No | +| Windows Camera | [Microsoft.WindowsCamera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | No | +| Windows Maps | [Microsoft.WindowsMaps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | No | +| Windows Store | [Microsoft.WindowsStore](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | No | +| Windows Voice Recorder | [Microsoft.SoundRecorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | No | +| Xbox | [Microsoft.XboxApp](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | No | +| Xbox Game Bar | [Microsoft.XboxGameOverlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | No | +| Xbox Gaming Overlay | [Microsoft.XboxGamingOverlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | | | x | No | +| Xbox Identity Provider | [Microsoft.XboxIdentityProvider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | No | +| Xbox Speech to Text Overlay | App not available in store | x | x | x | No | +| Xbox TCUI | [Microsoft.Xbox.TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | | x | x | No | + +>[!NOTE] +>\* The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. + + -> [!NOTE] -> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). ## Installed Windows apps + Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803. -| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? | -|--------------------|------------------------------------------|:----:|:----:|:----:|----------------------| +| Name | DisplayName | 1703 | 1709 | 1803 |Uninstall through UI? | +|--------------------|------------------------------------------|:----:|:----:|:----:|:----------------------:| | Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes | | PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes | | Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes | @@ -106,7 +156,7 @@ Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, a | Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes | | Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | x | Yes | | Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | -| News | Microsoft.BingNews | x | x | x | Yes | +| News | Microsoft.BingNews | x | x | x | Yes | | Flipboard | | | | | Yes | | | Microsoft.Advertising.Xaml | x | x | x | Yes | | | Microsoft.NET.Native.Framework.1.2 | x | x | x | Yes | @@ -126,52 +176,4 @@ Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, a | | Microsoft.VCLibs.120.00.Universal | | x | | Yes | | | Microsoft.VCLibs.140.00.UWPDesktop | | | x | Yes | | | Microsoft.WinJS.2.0 | x | | | Yes | - -## Provisioned Windows apps - -Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803. - -| Name | Full name | 1703 | 1709 | 1803 | Uninstall through UI? | -|---------------------------------|----------------------------------------|:------:|:------:|:------:|---------------------------| -| 3D Builder | Microsoft.3DBuilder | x | | | Yes | -| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No | -| App Installer | Microsoft.DesktopAppInstaller | x | x | x | Via Settings App | -| Calculator | Microsoft.WindowsCalculator | x | x | x | No | -| Camera | Microsoft.WindowsCamera | x | x | x | No | -| Feedback Hub | Microsoft.WindowsFeedbackHub | x | x | x | Yes | -| Get Help | Microsoft.GetHelp | | x | x | No | -| Get Office/My Office | Microsoft.Microsoft OfficeHub | x | x | x | Yes | -| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp | x | x | x | Yes | -| Get Started/Tips | Microsoft.Getstarted | x | x | x | Yes | -| Groove | Microsoft.ZuneMusic | x | x | x | No | -| Mail and Calendar | Microsoft.windows communicationsapps | x | x | x | No | -| Maps | Microsoft.WindowsMaps | x | x | x | No | -| Messaging | Microsoft.Messaging | x | x | x | No | -| Microsoft 3D Viewer | Microsoft.Microsoft3DViewer | x | x | x | No | -| Movies & TV | Microsoft.ZuneVideo | x | x | x | No | -| OneNote | Microsoft.Office.OneNote | x | x | x | Yes | -| Paid Wi-FI | Microsoft.OneConnect | x | x | x | Yes | -| Paint 3D | Microsoft.MSPaint | x | x | x | No | -| People | Microsoft.People | x | x | x | No | -| Photos | Microsoft.Windows.Photos | x | x | x | No | -| Print 3D | Microsoft.Print3D | | x | x | No | -| Solitaire | Microsoft.Microsoft SolitaireCollection| x | x | x | Yes | -| Sticky Notes | Microsoft.MicrosoftStickyNotes | x | x | x | No | -| Store | Microsoft.WindowsStore | x | x | x | No | -| Sway | Microsoft.Office.Sway | * | x | x | Yes | -| Voice Recorder | Microsoft.SoundRecorder | x | x | x | No | -| Wallet | Microsoft.Wallet | x | x | x | No | -| Weather | Microsoft.BingWeather | x | x | x | Yes | -| Xbox | Microsoft.XboxApp | x | x | x | No | -| | Microsoft.OneConnect | x | x | x | No | -| | Microsoft.DesktopAppInstaller | | | x | No | -| | Microsoft.StorePurchaseApp | x | x | x | No | -| | Microsoft.WebMediaExtensions | | | x | No | -| | Microsoft.Xbox.TCUI | | x | x | No | -| | Microsoft.XboxGameOverlay | x | x | x | No | -| | Microsoft.XboxGamingOverlay | | | x | No | -| | Microsoft.XboxIdentityProvider | x | x | x | No | -| | Microsoft.XboxSpeech ToTextOverlay | x | x | x | No | - ->[!NOTE] ->The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. \ No newline at end of file +--- diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index cd0dce59af..a147f74977 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -23,14 +23,19 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft - A valid MSA alias (to access the app from the Store) ## What's new -v1.2018.808.0 +v1.2018.821.0 +- Command Line Support +- Ability to use existing local virtual machines for packaging environment. +- Ability to cross check publisher information in the manifest with a signing certificate to avoid signing issues. +- Minor updates to the UI for added clarity. + +v1.2018.807.0 - Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu. -- Fixed an issue where signing in with password protected certificates would fail in the tool. +- Fixed an issue where signing with password protected certificates would fail in the tool. - Fixed an issue where the tool was crashing when editing an existing MSIX package. - Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures. - Minor UI tweaks to add clarity. -- Minor updates to the logs for added clarity. - +- Minor updates to the logs to add clarity. ## Installing the MSIX Packaging Tool @@ -45,12 +50,169 @@ This is an early preview build and not all features are supported. Here is what - Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon. - Open your MSIX package to view and edit its content/properties by navigating to the **Open package editor** tab. Browse to the MSIX package and select **Open package**. -Features not supported in the tool are currently greyed out. Here are some of the highlighted missing features: +## Creating an application package using the Command line interface +To create a new MSIX package for your application, run the MsixPackagingTool.exe create-package command in a Command prompt window. -- Package Support Framework integration. For more detail on how you can use Package Support Framework today, check out the article posted on the [MSIX blog](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMSIX-Blog%2FMSIX-Package-Support-Framework-is-now-available-on-GitHub%2Fba-p%2F214548&data=02%7C01%7Cpezan%40microsoft.com%7Cbe2761c174cd465136ce08d5f1252d8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636680064344941094&sdata=uW3oOOEYQxd0iVgsJkZXZTQwlvf%2FimVCaOdFUXcRoeY%3D&reserved=0). -- Packaging on existing virtual machines. You can still install the Tool on a fresh VM, but the tool cannot currently spawn off a conversion from a local machine to an existing VM. -- Command Line Interface support -- Conversion of App-V 4.x packages +Here are the parameters that can be passed as command line arguments: + + +|Parameter |Description | +|---------|---------| +|-?
--help | Show help information | +|--template | [required] path to the conversion template XML file containing package information and settings for this conversion | +|--virtualMachinePassword | [optional] The password for the Virtual Machine to be used for the conversion environment. Notes: The template file must contain a VirtualMachine element and the Settings::AllowPromptForPassword attribute must not be set to true. | + +Examples: + +- MsixPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml +- MSIXPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml --virtualMachinePassword pswd112893 + +## Conversion template file + + +```xml +
Added new settings in Windows 10, next major version.
Added new settings in Windows 10, next major version.
+Added new CSP in Windows 10, next major version.
+Added FinalStatus setting in Windows 10, next major version.
+Added FinalStatus setting in Windows 10, next major version.
+Added new settings in Windows 10, next major version.
+Added new CSP in Windows 10, next major version.
+Added new settings in Windows 10, next major version.
Start/DisableContextMenus - added in Windows 10, version 1803.
+RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 1a415c4fc3..61b8062660 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -6,13 +6,16 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/25/2018 +ms.date: 08/15/2018 --- # Office CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add-office365). + This CSP was added in Windows 10, version 1703. For additional information, see [Office DDF](office-ddf.md). @@ -21,39 +24,44 @@ The following diagram shows the Office configuration service provider in tree fo  -**Office** - -The root node for the Office configuration service provider.
+**./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office** +The root node for the Office configuration service provider. **Installation** +Specifies the options for the Microsoft Office installation. -Specifies the options for the Microsoft Office installation. +The supported operations are Add, Delete, Get, and Replace. -
The supported operations are Add, Delete, Get, and Replace. +**Installation/_id_** +Specifies a unique identifier that represents the ID of the Microsoft Office product to install. -**id** +The supported operations are Add, Delete, Get, and Replace. -
Specifies a unique identifier that represents the ID of the Microsoft Office product to install. +**Installation/_id_/Install** +Installs Office by using the XML data specified in the configuration.xml file. -
The supported operations are Add, Delete, Get, and Replace. +The supported operations are Get and Execute. -**Install** +**Installation/_id_/Status** +The Microsoft Office installation status. -
Installs Office by using the XML data specified in the configuration.xml file. +The only supported operation is Get. -
The supported operations are Get and Execute. +**Installation/_id_/FinalStatus** +Added in Windows 10, next major version. Indicates the status of the Final Office 365 installation. -**Status** +The only supported operation is Get. -
The Microsoft Office installation status. +Behavior: +- When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it. +- When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values: + - When status = 0: 70 (succeeded) + - When status != 0: 60 (failed) -
The only supported operation is Get. +**Installation/CurrentStatus** +Returns an XML of current Office 365 installation status on the device. -**CurrentStatus** - -
Returns an XML of current Office 365 installation status on the device. - -
The only supported operation is Get.
+The only supported operation is Get.
## Examples
diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md
index 99b5afb5b6..22e2ece540 100644
--- a/windows/client-management/mdm/office-ddf.md
+++ b/windows/client-management/mdm/office-ddf.md
@@ -7,17 +7,19 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 12/05/2017
+ms.date: 08/15/2018
---
# Office DDF
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, version 1709.
+The XML below is for Windows 10, next major version.
``` syntax
@@ -33,7 +35,7 @@ The XML below is for Windows 10, version 1709.
Supported operations are Add and Get. Does not support Delete. -> [!Note] -> The policies supported in Windows 10 S are the same as those supported in Windows 10 Pro with the exception of the policies under ApplicationDefaults. The ApplicationDefaults policies are not supported in Windows 10 S. ## Policies @@ -561,9 +559,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- Set the **Unlock Home Button** policy to 1 (enabled).
- Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
- Set the **Unlock Home Button** policy to 0 (disabled).
- Set **UnlockHomeButton** to 1 (enabled).
- Make changes to **ConfigureHomeButton** or **SetHomeButtonURL** policy.
- Set **UnlockHomeButton** 0 (disabled).
-When you enable this policy and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy. +**Next major version**:
+When you enable this policy and select an option, and also enter the URLs of the pages you want in HomePages, Microsoft Edge ignores HomePages. @@ -2332,14 +2349,14 @@ ADMX Info: Supported values: -- Blank - If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. +- Blank - If you don't configure this policy and you set DisableLockdownOfStartPages to 1 (enabled), users can change or customize the Start page. - 0 - Load the Start page. - 1 - Load the New tab page. - 2 - Load the previous pages. - 3 (default) - Load a specific page or pages. >[!TIP] ->If you want to make changes to this policy:
- Set the Disabled Lockdown of Start Pages policy to 0 (not configured).
- Make changes to the Configure Open Microsoft With policy.
- Set the Disabled Lockdown of Start Pages policy to 1 (enabled).
- Set DisableLockdownOfStartPages to 0 (not configured).
- Make changes to ConfigureOpenEdgeWith.
- Set DisableLockdownOfStartPages to 1 (enabled).
When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. +- 0 – Lock down Start pages configured in either the ConfigureOpenEdgeWith policy and HomePages policy. +- 1 (default) – Unlocked. Users can make changes to all configured start pages.
When you enable this policy and define a set of URLs in the HomePages policy, Microsoft Edge uses the URLs defined in the ConfigureOpenEdgeWith policy. Most restricted value: 0 @@ -2547,8 +2564,8 @@ ADMX Info: Supported values: -- 0 (default) - Gather and send only basic diagnotic data, depending on the device configuration. -- 1 - Gather both basic and additional data, such as usage data. +- 0 (default) - Gather and send only basic diagnostic data, depending on the device configuration. +- 1 - Gather all diagnostic data. Most restricted value: 0 @@ -2601,7 +2618,6 @@ Most restricted value: 0 - ADMX Info: @@ -2616,7 +2632,8 @@ ADMX Info: Supported values: - 0 (default) - Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. -- Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box. +- Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.
For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp). + @@ -2661,7 +2678,7 @@ Supported values: > [!IMPORTANT] -> We discontinued this policy in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead. +> Discontinued in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead. @@ -2710,73 +2727,11 @@ Supported values: Enter a URL in string format for the site you want to load when Microsoft Edge for Windows 10 Mobile opens for the first time, for example, contoso.com. -Data type = String -
- -**Browser/ForceEnabledExtensions** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
 |
-  5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -This setting lets you decide which extensions should be always enabled. - - - -ADMX Info: -- GP name: *ForceEnabledExtensions* -- GP element: *ForceEnabledExtensions_List* -- GP ADMX file name: *MicrosoftEdge.admx* - - - - - - - - - - - - - -
- **Browser/HomePages** @@ -2955,7 +2910,7 @@ Most restricted value: 1 -[!INCLUDE [prevent-changes-to-favorites-shortdesc](../../../browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md)] +[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../../../browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md)] @@ -2970,7 +2925,7 @@ ADMX Info: Supported values: - 0 (default) – Allowed. -- 1 – Prevented/not allowed. Users cannot access the about:flags page. +- 1 – Prevents users from accessing the about:flags page. Most restricted value: 1 @@ -3099,7 +3054,7 @@ ADMX Info: Supported values: -- 0 (default) – Allowed. Microsoft Edge loads the First Run webpage. +- 0 (default) – Allowed. Load the First Run webpage. - 1 – Prevented/not allowed. Most restricted value: 1 @@ -3145,7 +3100,7 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, version 1703* +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* [!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../../../browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] @@ -3161,7 +3116,7 @@ ADMX Info: Supported values: -- 0 (default) – Collect and send Live Tile metadata to Microsoft. +- 0 (default) – Collect and send Live Tile metadata. - 1 – No data collected. Most restricted value: 1 @@ -3291,6 +3246,73 @@ Most restricted value: 1
+ +**Browser/PreventTurningOffRequiredExtensions** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../../../browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Prevent turning off required extensions* +- GP name: *PreventTurningOffRequiredExtensions* +- GP element: *PreventTurningOffRequiredExtensions_Prompt* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- Blank (default) - Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. + +- String - Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office Online extension prevents users from turning it off:
_Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe_
After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.
Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + + + + + + + + + + +
+ **Browser/PreventUsingLocalHostIPAddressForWebRTC** @@ -3391,9 +3413,9 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, version 1709* +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later* -[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../../../browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] +[!INCLUDE [provision-favorites-shortdesc](../../../browsers/edge/shortdesc/provision-favorites-shortdesc.md)] Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off. @@ -3401,14 +3423,14 @@ Define a default list of favorites in Microsoft Edge. In this case, the Save a F To define a default list of favorites: 1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**. 2. Click **Import from another browser**, click **Export to file** and save the file. -3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision.
Specify the URL as:
- HTTP location: "SiteList"="http://localhost:8080/URLs.html"
- Local network: "SiteList"="\\network\\shares\\URLs.html"
- Local file: "SiteList"="file:///c:\\Users\\
Specify the URL as:
- HTTP location: "SiteList"=http://localhost:8080/URLs.html
- Local network: "SiteList"="\network\shares\URLs.html"
- Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
@@ -3481,9 +3504,10 @@ ADMX Info: Supported values: - 0 (default) - All sites, including intranet sites, open in Microsoft Edge automatically. -- 1 - Only intranet sites open in Internet Explorer 11 automatically. Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser. +- 1 - Only intranet sites open in Internet Explorer 11 automatically.
Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.
- In Group Policy Editor, navigate to:
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**. - Refresh the policy and then view the affected sites in Microsoft Edge.
A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.
Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.
If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.
If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. @@ -3798,7 +3822,7 @@ Most restricted value: 0 ->*Supported versions: Microsoft Edge on Windows 10, version 1703* +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../../../browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] @@ -3890,7 +3914,7 @@ ADMX Info: Supported values: -- 0 (default) - Lock down the home button to prevent users from making changes to the settings. +- 0 (default) - Lock down and prevent users from making changes to the settings. - 1 - Let users make changes. @@ -3957,7 +3981,7 @@ ADMX Info: Supported values: - 0 - Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. -- 1 - Allowed. Microsoft Edge downloads book files into a shared folder. +- 1 - Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. Most restricted value: 0 diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 96f63a2056..c3369e756d 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1437,7 +1437,7 @@ The following list shows the supported values: [!INCLUDE [do-not-sync-browser-settings-shortdesc](../../../browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md)] Related policy: - PreventUsersFromTurningOnBrowserSyncing + [PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) @@ -1454,7 +1454,25 @@ Supported values: - 0 (default) - Allowed/turned on. The "browser" group syncs automatically between user’s devices and lets users to make changes. - 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option. -Value type is integer. + +_**Sync the browser settings automatically**_ + + Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). + +_**Prevent syncing of browser settings and prevent users from turning it on**_ + +1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). +2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off). + +_**Prevent syncing of browser settings and let users turn on syncing**_ + +1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). +2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). + +_**Turn syncing off by default but don’t disable**_ + + Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off) and select the _Allow users to turn “browser” syncing_ option. + @@ -1505,24 +1523,14 @@ Value type is integer. [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../../../browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] Related policy: - DoNotSyncBrowserSettings - - -If you want to prevent syncing of browser settings and prevent users from turning it on: -1. Set Experience/DoNotSyncBrowserSettings to 2 (enabled). -1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 1 (enabled or not configured). - -If you want to prevent syncing of browser settings but give users a choice to turn on syncing: -1. Set Experience/DoNotSyncBrowserSettings to 2 (enabled). -1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 0 (disabled). + [DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) ADMX Info: -- GP English name: *Do not sync browser settings* -- GP name: *DisableWebBrowserSettingSync* -- GP element: *CheckBox_UserOverride* +- GP English name: *Prevent users from turning on browser syncing* +- GP name: *PreventUsersFromTurningOnBrowserSyncing* - GP path: *Windows Components/Sync your settings* - GP ADMX file name: *SettingSync.admx* @@ -1533,17 +1541,30 @@ Supported values: - 0 - Allowed/turned on. Users can sync the browser settings. - 1 (default) - Prevented/turned off. -Value type is integer. + +_**Sync the browser settings automatically**_ + + Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). + +_**Prevent syncing of browser settings and prevent users from turning it on**_ + +1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). +2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off). + +_**Prevent syncing of browser settings and let users turn on syncing**_ + +1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). +2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). + -**Validation procedure:** +Validation procedure: -Microsoft Edge on your PC: 1. Select **More > Settings**. -1. See if the setting is enabled or disabled based on your setting. +1. See if the setting is enabled or disabled based on your selection. diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 2c1b567f4b..846fbce380 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -1,366 +1,426 @@ ---- -title: Policy CSP - Kerberos -description: Policy CSP - Kerberos -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 03/12/2018 ---- - -# Policy CSP - Kerberos - - - -
- - -## Kerberos policies - -
-
-
- - Kerberos/AllowForestSearchOrder - -
- - Kerberos/KerberosClientSupportsClaimsCompoundArmor - -
- - Kerberos/RequireKerberosArmoring - -
- - Kerberos/RequireStrictKDCValidation - -
- - Kerberos/SetMaximumContextTokenSize - -
- - -**Kerberos/AllowForestSearchOrder** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). - -If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. - -If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Use forest search order* -- GP name: *ForestSearch* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
- - -**Kerberos/KerberosClientSupportsClaimsCompoundArmor** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. -If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. - -If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring* -- GP name: *EnableCbacAndArmor* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
- - -**Kerberos/RequireKerberosArmoring** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. - -Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. - -If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. - -Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. - -If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Fail authentication requests when Kerberos armoring is not available* -- GP name: *ClientRequireFast* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
- - -**Kerberos/RequireStrictKDCValidation** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. - -If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. - -If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Require strict KDC validation* -- GP name: *ValidateKDC* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
- - -**Kerberos/SetMaximumContextTokenSize** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. - -The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. - -If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. - -If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. - -Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set maximum Kerberos SSPI context token buffer size* -- GP name: *MaxTokenSize* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. - - - +--- +title: Policy CSP - Kerberos +description: Policy CSP - Kerberos +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/08/2018 +--- + +# Policy CSP - Kerberos + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ + +## Kerberos policies + +
-
+
- + Kerberos/AllowForestSearchOrder + +
- + Kerberos/KerberosClientSupportsClaimsCompoundArmor + +
- + Kerberos/RequireKerberosArmoring + +
- + Kerberos/RequireStrictKDCValidation + +
- + Kerberos/SetMaximumContextTokenSize + +
- + Kerberos/UPNNameHints + +
+ + +**Kerberos/AllowForestSearchOrder** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). + +If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. + +If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Use forest search order* +- GP name: *ForestSearch* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
+ + +**Kerberos/KerberosClientSupportsClaimsCompoundArmor** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. +If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. + +If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring* +- GP name: *EnableCbacAndArmor* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
+ + +**Kerberos/RequireKerberosArmoring** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. + +Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. + +If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. + +Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. + +If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Fail authentication requests when Kerberos armoring is not available* +- GP name: *ClientRequireFast* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
+ + +**Kerberos/RequireStrictKDCValidation** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. + +If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. + +If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require strict KDC validation* +- GP name: *ValidateKDC* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
+ + +**Kerberos/SetMaximumContextTokenSize** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. + +The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. + +If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. + +If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. + +Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set maximum Kerberos SSPI context token buffer size* +- GP name: *MaxTokenSize* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
+ + +**Kerberos/UPNNameHints** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal. + +Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures. + + + + + + + + + + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 52ede722ea..f45615badd 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -1,4847 +1,4865 @@ ---- -title: Policy CSP - Privacy -description: Policy CSP - Privacy -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 08/08/2018 ---- - -# Policy CSP - Privacy - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
- - -## Privacy policies - -
-
-
- - Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts - -
- - Privacy/AllowCrossDeviceClipboard - -
- - Privacy/AllowInputPersonalization - -
- - Privacy/DisableAdvertisingId - -
- - Privacy/EnableActivityFeed - -
- - Privacy/LetAppsAccessAccountInfo - -
- - Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessCalendar - -
- - Privacy/LetAppsAccessCalendar_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessCalendar_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessCallHistory - -
- - Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessCamera - -
- - Privacy/LetAppsAccessCamera_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessCamera_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessCamera_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessContacts - -
- - Privacy/LetAppsAccessContacts_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessContacts_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessContacts_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessEmail - -
- - Privacy/LetAppsAccessEmail_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessEmail_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessEmail_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessGazeInput - -
- - Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessLocation - -
- - Privacy/LetAppsAccessLocation_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessLocation_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessLocation_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessMessaging - -
- - Privacy/LetAppsAccessMessaging_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessMessaging_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessMicrophone - -
- - Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessMotion - -
- - Privacy/LetAppsAccessMotion_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessMotion_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessMotion_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessNotifications - -
- - Privacy/LetAppsAccessNotifications_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessNotifications_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessPhone - -
- - Privacy/LetAppsAccessPhone_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessPhone_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessPhone_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessRadios - -
- - Privacy/LetAppsAccessRadios_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessRadios_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessRadios_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessTasks - -
- - Privacy/LetAppsAccessTasks_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessTasks_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessTasks_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessTrustedDevices - -
- - Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps - -
- - Privacy/LetAppsGetDiagnosticInfo - -
- - Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps - -
- - Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps - -
- - Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps - -
- - Privacy/LetAppsRunInBackground - -
- - Privacy/LetAppsRunInBackground_ForceAllowTheseApps - -
- - Privacy/LetAppsRunInBackground_ForceDenyTheseApps - -
- - Privacy/LetAppsRunInBackground_UserInControlOfTheseApps - -
- - Privacy/LetAppsSyncWithDevices - -
- - Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps - -
- - Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps - -
- - Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps - -
- - Privacy/PublishUserActivities - -
- - Privacy/UploadUserActivities - -
- - -**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
-
- - - -Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. - -> [!Note] -> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. - - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 (default)– Not allowed. -- 1 – Allowed. - - - - -
- - -**Privacy/AllowCrossDeviceClipboard** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 5 |
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -Added in Windows 10, next major version. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Allow Clipboard synchronization across devices* -- GP name: *AllowCrossDeviceClipboard* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -0 – Not allowed. -1 (default) – Allowed. - - - - - - - - - - -
- - -**Privacy/AllowInputPersonalization** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -Updated in Windows 10, next major version. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Allow input personalization* -- GP name: *AllowInputPersonalization* -- GP path: *Control Panel/Regional and Language Options* -- GP ADMX file name: *Globalization.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Choice deferred to user's preference. - - - - -
- - -**Privacy/DisableAdvertisingId** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Enables or disables the Advertising ID. - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Turn off the advertising ID* -- GP name: *DisableAdvertisingId* -- GP path: *System/User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. -- 1 – Enabled. -- 65535 (default)- Not configured. - - - - -
- - -**Privacy/EnableActivityFeed** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
-
- - - -Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed. - - - -ADMX Info: -- GP English name: *Enables Activity Feed* -- GP name: *EnableActivityFeed* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud). -- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph. - - - - -
- - -**Privacy/LetAppsAccessAccountInfo** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCalendar** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCallHistory** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCamera** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessContacts** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessEmail** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access email. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessGazeInput** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 5 |
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -This policy setting specifies whether Windows apps can access the eye tracker. - - - - - - - - - - - - - -
- - -**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 5 |
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - - - -
- - -**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 5 |
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - - - -
- - -**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 5 |
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - - - -
- - -**Privacy/LetAppsAccessLocation** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access location. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMessaging** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMicrophone** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMotion** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessNotifications** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessPhone** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessRadios** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTasks** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTrustedDevices** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsGetDiagnosticInfo** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsRunInBackground** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. - - -Most restricted value is 2. -> [!WARNING] -> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control (default). -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsSyncWithDevices** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/PublishUserActivities** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
-
- - - -Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed. - - - -ADMX Info: -- GP English name: *Allow publishing of User Activities* -- GP name: *PublishUserActivities* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. Apps/OS can't publish the *user activities*. -- 1 – (default) Enabled. Apps/OS can publish the *user activities*. - - - - -
- - -**Privacy/UploadUserActivities** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 5 |
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -Allows ActivityFeed to upload published 'User Activities'. - - - -ADMX Info: -- GP English name: *Allow upload of User Activities* -- GP name: *UploadUserActivities* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - - - - - - - - - - -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. - - - - +--- +title: Policy CSP - Privacy +description: Policy CSP - Privacy +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/14/2018 +--- + +# Policy CSP - Privacy + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ + +## Privacy policies + +
-
+
- + Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts + +
- + Privacy/AllowCrossDeviceClipboard + +
- + Privacy/AllowInputPersonalization + +
- + Privacy/DisableAdvertisingId + +
- + Privacy/DisablePrivacyExperience + +
- + Privacy/EnableActivityFeed + +
- + Privacy/LetAppsAccessAccountInfo + +
- + Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessCalendar + +
- + Privacy/LetAppsAccessCalendar_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessCalendar_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessCallHistory + +
- + Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessCamera + +
- + Privacy/LetAppsAccessCamera_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessCamera_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessCamera_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessContacts + +
- + Privacy/LetAppsAccessContacts_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessContacts_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessContacts_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessEmail + +
- + Privacy/LetAppsAccessEmail_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessEmail_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessEmail_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessGazeInput + +
- + Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessLocation + +
- + Privacy/LetAppsAccessLocation_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessLocation_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessLocation_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessMessaging + +
- + Privacy/LetAppsAccessMessaging_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessMessaging_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessMicrophone + +
- + Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessMotion + +
- + Privacy/LetAppsAccessMotion_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessMotion_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessMotion_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessNotifications + +
- + Privacy/LetAppsAccessNotifications_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessNotifications_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessPhone + +
- + Privacy/LetAppsAccessPhone_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessPhone_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessPhone_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessRadios + +
- + Privacy/LetAppsAccessRadios_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessRadios_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessRadios_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessTasks + +
- + Privacy/LetAppsAccessTasks_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessTasks_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessTasks_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessTrustedDevices + +
- + Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps + +
- + Privacy/LetAppsGetDiagnosticInfo + +
- + Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps + +
- + Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps + +
- + Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps + +
- + Privacy/LetAppsRunInBackground + +
- + Privacy/LetAppsRunInBackground_ForceAllowTheseApps + +
- + Privacy/LetAppsRunInBackground_ForceDenyTheseApps + +
- + Privacy/LetAppsRunInBackground_UserInControlOfTheseApps + +
- + Privacy/LetAppsSyncWithDevices + +
- + Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps + +
- + Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps + +
- + Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps + +
- + Privacy/PublishUserActivities + +
- + Privacy/UploadUserActivities + +
+ + +**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+
+ + + +Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. + +> [!Note] +> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. + + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 (default)– Not allowed. +- 1 – Allowed. + + + + +
+ + +**Privacy/AllowCrossDeviceClipboard** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +Added in Windows 10, next major version. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow Clipboard synchronization across devices* +- GP name: *AllowCrossDeviceClipboard* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +0 – Not allowed. +1 (default) – Allowed. + + + + +
+ + +**Privacy/AllowInputPersonalization** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +Updated in Windows 10, next major version. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow input personalization* +- GP name: *AllowInputPersonalization* +- GP path: *Control Panel/Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Choice deferred to user's preference. + + + + +
+ + +**Privacy/DisableAdvertisingId** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Enables or disables the Advertising ID. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Turn off the advertising ID* +- GP name: *DisableAdvertisingId* +- GP path: *System/User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +The following list shows the supported values: + +- 0 – Disabled. +- 1 – Enabled. +- 65535 (default)- Not configured. + + + + +
+ + +**Privacy/DisablePrivacyExperience** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + +Value type is integer. +- 0 (default) - Allow the "choose privacy settings for your device" screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade. +- 1 - Do not allow the "choose privacy settings for your device" screen when a new user logs in or an existing user logs in for the first time after an upgrade. + +In some enterprise managed environments, the privacy settings may be set by policies. In these cases, you can use this policy if you do not want to show a screen that would prompt your users to change these privacy settings. + + + +ADMX Info: +- GP English name: *Don't launch privacy settings experience on user logon* +- GP name: *DisablePrivacyExperience* +- GP path: *Windows Components/OOBE* +- GP ADMX file name: *OOBE.admx* + + + + + + + + + + + + + +
+ + +**Privacy/EnableActivityFeed** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+
+ + + +Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed. + + + +ADMX Info: +- GP English name: *Enables Activity Feed* +- GP name: *EnableActivityFeed* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud). +- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph. + + + + +
+ + +**Privacy/LetAppsAccessAccountInfo** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCalendar** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCallHistory** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCamera** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessContacts** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessEmail** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access email. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessGazeInput** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +This policy setting specifies whether Windows apps can access the eye tracker. + + + + +
+ + +**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + +
+ + +**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + +
+ + +**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + +
+ + +**Privacy/LetAppsAccessLocation** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access location. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMessaging** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMicrophone** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMotion** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessNotifications** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessPhone** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessRadios** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTasks** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTrustedDevices** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsGetDiagnosticInfo** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsRunInBackground** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. + + +Most restricted value is 2. +> [!WARNING] +> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control (default). +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsSyncWithDevices** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/PublishUserActivities** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+
+ + + +Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed. + + + +ADMX Info: +- GP English name: *Allow publishing of User Activities* +- GP name: *PublishUserActivities* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +- 0 – Disabled. Apps/OS can't publish the *user activities*. +- 1 – (default) Enabled. Apps/OS can publish the *user activities*. + + + + +
+ + +**Privacy/UploadUserActivities** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +Allows ActivityFeed to upload published 'User Activities'. + + + +ADMX Info: +- GP English name: *Allow upload of User Activities* +- GP name: *UploadUserActivities* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 78ef27da14..1d41637f5b 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -66,12 +66,59 @@ This security setting allows an administrator to define the members of a securit Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. +Starting in Windows 10, next major version, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. + +``` syntax +
@@ -49,6 +51,9 @@ ms.date: 08/09/2018
+ +**Start/DisableContextMenus** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ + | + |
+ + + +Enabling this policy prevents context menus from being invoked in the Start Menu. + + + +ADMX Info: +- GP English name: *Disable context menus in the Start Menu* +- GP name: *DisableContextMenusInStart* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + + + + + + + + + + + +
+ **Start/ForceStartSize** @@ -1780,6 +1846,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 99145cc967..df68eeee47 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,3570 +1,3570 @@ ---- -title: Policy CSP - Update -description: Policy CSP - Update -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 08/10/2018 ---- - -# Policy CSP - Update - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
- - -## Update policies - -
-
-
- - Update/ActiveHoursEnd - -
- - Update/ActiveHoursMaxRange - -
- - Update/ActiveHoursStart - -
- - Update/AllowAutoUpdate - -
- - Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork - -
- - Update/AllowMUUpdateService - -
- - Update/AllowNonMicrosoftSignedUpdate - -
- - Update/AllowUpdateService - -
- - Update/AutoRestartDeadlinePeriodInDays - -
- - Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates - -
- - Update/AutoRestartNotificationSchedule - -
- - Update/AutoRestartRequiredNotificationDismissal - -
- - Update/BranchReadinessLevel - -
- - Update/ConfigureFeatureUpdateUninstallPeriod - -
- - Update/DeferFeatureUpdatesPeriodInDays - -
- - Update/DeferQualityUpdatesPeriodInDays - -
- - Update/DeferUpdatePeriod - -
- - Update/DeferUpgradePeriod - -
- - Update/DetectionFrequency - -
- - Update/DisableDualScan - -
- - Update/EngagedRestartDeadline - -
- - Update/EngagedRestartDeadlineForFeatureUpdates - -
- - Update/EngagedRestartSnoozeSchedule - -
- - Update/EngagedRestartSnoozeScheduleForFeatureUpdates - -
- - Update/EngagedRestartTransitionSchedule - -
- - Update/EngagedRestartTransitionScheduleForFeatureUpdates - -
- - Update/ExcludeWUDriversInQualityUpdate - -
- - Update/FillEmptyContentUrls - -
- - Update/IgnoreMOAppDownloadLimit - -
- - Update/IgnoreMOUpdateDownloadLimit - -
- - Update/ManagePreviewBuilds - -
- - Update/PauseDeferrals - -
- - Update/PauseFeatureUpdates - -
- - Update/PauseFeatureUpdatesStartTime - -
- - Update/PauseQualityUpdates - -
- - Update/PauseQualityUpdatesStartTime - -
- - Update/PhoneUpdateRestrictions - -
- - Update/RequireDeferUpgrade - -
- - Update/RequireUpdateApproval - -
- - Update/ScheduleImminentRestartWarning - -
- - Update/ScheduleRestartWarning - -
- - Update/ScheduledInstallDay - -
- - Update/ScheduledInstallEveryWeek - -
- - Update/ScheduledInstallFirstWeek - -
- - Update/ScheduledInstallFourthWeek - -
- - Update/ScheduledInstallSecondWeek - -
- - Update/ScheduledInstallThirdWeek - -
- - Update/ScheduledInstallTime - -
- - Update/SetAutoRestartNotificationDisable - -
- - Update/SetDisablePauseUXAccess - -
- - Update/SetDisableUXWUAccess - -
- - Update/SetEDURestart - -
- - Update/UpdateNotificationLevel - -
- - Update/UpdateServiceUrl - -
- - Update/UpdateServiceUrlAlternate - -
- - -**Update/ActiveHoursEnd** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 1 |
- 1 |
- 1 |
- 1 |
- |
- 1 |
-
- - - -Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. - -> [!NOTE] -> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. - -The default is 17 (5 PM). - - - -ADMX Info: -- GP English name: *Turn off auto-restart for updates during active hours* -- GP name: *ActiveHours* -- GP element: *ActiveHoursEndTime* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/ActiveHoursMaxRange** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. - -Supported values are 8-18. - -The default value is 18 (hours). - - - -ADMX Info: -- GP English name: *Specify active hours range for auto-restarts* -- GP name: *ActiveHoursMaxRange* -- GP element: *ActiveHoursMaxRange* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/ActiveHoursStart** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 1 |
- 1 |
- 1 |
- 1 |
- |
- 1 |
-
- - - -Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. - -> [!NOTE] -> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. - -The default value is 8 (8 AM). - - - -ADMX Info: -- GP English name: *Turn off auto-restart for updates during active hours* -- GP name: *ActiveHours* -- GP element: *ActiveHoursStartTime* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/AllowAutoUpdate** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -Enables the IT admin to manage automatic update behavior to scan, download, and install updates. - -Supported operations are Get and Replace. - - -> [!IMPORTANT] -> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. - - -If the policy is not configured, end-users get the default behavior (Auto install and restart). - - - -ADMX Info: -- GP English name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateMode* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. -- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. -- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. -- 5 – Turn off automatic updates. - - - - -
- - -**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 3 |
- 3 |
- 3 |
- 3 |
- |
- |
-
- - - -Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer. - -A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. - -This policy is accessible through the Update setting in the user interface or Group Policy. - - - -ADMX Info: -- GP English name: *Allow updates to be downloaded automatically over metered connections* -- GP name: *AllowAutoWindowsUpdateDownloadOverMeteredNetwork* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Not allowed -- 1 - Allowed - - - - -
- - -**Update/AllowMUUpdateService** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 1 |
- 1 |
- 1 |
- 1 |
- |
- |
-
- - - -Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. - - - -ADMX Info: -- GP English name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AllowMUUpdateServiceId* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed or not configured. -- 1 – Allowed. Accepts updates received through Microsoft Update. - - - - -
- - -**Update/AllowNonMicrosoftSignedUpdate** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. - -Supported operations are Get and Replace. - -This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. - - - -The following list shows the supported values: - -- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. -- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. - - - - -
- - -**Update/AllowUpdateService** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. - -Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store - -Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. - -> [!NOTE] -> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. - - - -ADMX Info: -- GP English name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 – Update service is not allowed. -- 1 (default) – Update service is allowed. - - - - -
- - -**Update/AutoRestartDeadlinePeriodInDays** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. - -Value type is integer. Default is 7 days. - -Supported values range: 2-30. - -Note that the PC must restart for certain updates to take effect. - -If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. - -If you disable or do not configure this policy, the PC will restart according to the default schedule. - -If any of the following two policies are enabled, this policy has no effect: -1. No auto-restart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. - - - -ADMX Info: -- GP English name: *Specify deadline before auto-restart for update installation* -- GP name: *AutoRestartDeadline* -- GP element: *AutoRestartDeadline* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. - -Value type is integer. Default is 7 days. - -Supported values range: 2-30. - -Note that the PC must restart for certain updates to take effect. - -If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. - -If you disable or do not configure this policy, the PC will restart according to the default schedule. - -If any of the following two policies are enabled, this policy has no effect: -1. No auto-restart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. - - - -ADMX Info: -- GP English name: *Specify deadline before auto-restart for update installation* -- GP name: *AutoRestartDeadline* -- GP element: *AutoRestartDeadlineForFeatureUpdates* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/AutoRestartNotificationSchedule** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. - -The default value is 15 (minutes). - - - -ADMX Info: -- GP English name: *Configure auto-restart reminder notifications for updates* -- GP name: *AutoRestartNotificationConfig* -- GP element: *AutoRestartNotificationSchd* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported values are 15, 30, 60, 120, and 240 (minutes). - - - - -
- - -**Update/AutoRestartRequiredNotificationDismissal** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. - - - -ADMX Info: -- GP English name: *Configure auto-restart required notification for updates* -- GP name: *AutoRestartRequiredNotificationDismissal* -- GP element: *AutoRestartRequiredNotificationDismissal* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 1 (default) – Auto Dismissal. -- 2 – User Dismissal. - - - - -
- - -**Update/BranchReadinessLevel** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 1 |
- 1 |
- 1 |
- 1 |
- |
- 1 |
-
- - - -Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. - - - -ADMX Info: -- GP English name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *BranchReadinessLevelId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) -- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) -- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709) -- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). -- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. - - - - -
- - -**Update/ConfigureFeatureUpdateUninstallPeriod** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 4 |
- 4 |
- 4 |
- 4 |
- |
- |
-
- - - -Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. - - - - -
- - -**Update/DeferFeatureUpdatesPeriodInDays** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 1 |
- 1 |
- 1 |
- 1 |
- |
- |
-
- - - -Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. - -Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. - -Supported values are 0-365 days. - -> [!IMPORTANT] -> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. - - - -ADMX Info: -- GP English name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *DeferFeatureUpdatesPeriodId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/DeferQualityUpdatesPeriodInDays** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 1 |
- 1 |
- 1 |
- 1 |
- |
- 1 |
-
- - - -Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. - -Supported values are 0-30. - - - -ADMX Info: -- GP English name: *Select when Quality Updates are received* -- GP name: *DeferQualityUpdates* -- GP element: *DeferQualityUpdatesPeriodId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/DeferUpdatePeriod** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. - - -Allows IT Admins to specify update delays for up to 4 weeks. - -Supported values are 0-4, which refers to the number of weeks to defer updates. - -In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following: - -- Update/RequireDeferUpgrade must be set to 1 -- System/AllowTelemetry must be set to 1 or higher - -If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -OS upgrade: -- Maximum deferral: 8 months -- Deferral increment: 1 month -- Update type/notes: - - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 - -Update: -- Maximum deferral: 1 month -- Deferral increment: 1 week -- Update type/notes: - If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 - - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 - - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F - - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 - - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB - - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F - - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 - - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 - -Other/cannot defer: -- Maximum deferral: No deferral -- Deferral increment: No deferral -- Update type/notes: - Any update category not specifically enumerated above falls into this category. - - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B - - - - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *DeferUpdatePeriodId* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/DeferUpgradePeriod** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -> [!NOTE] -> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. - - -Allows IT Admins to specify additional upgrade delays for up to 8 months. - -Supported values are 0-8, which refers to the number of months to defer upgrades. - -If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *DeferUpgradePeriodId* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/DetectionFrequency** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. - - - -ADMX Info: -- GP English name: *Automatic Updates detection frequency* -- GP name: *DetectionFrequency_Title* -- GP element: *DetectionFrequency_Hour2* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/DisableDualScan** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 3 |
- 3 |
- 3 |
- 3 |
- |
- |
-
- - - -Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. - -For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/). - -This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update." - -Value type is integer. Supported operations are Add, Get, Replace, and Delete. - - - -ADMX Info: -- GP English name: *Do not allow update deferral policies to cause scans against Windows Update* -- GP name: *DisableDualScan* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - allow scan against Windows Update -- 1 - do not allow update deferral policies to cause scans against Windows Update - - - - -
- - -**Update/EngagedRestartDeadline** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. - -Value type is integer. Default is 14. - -Supported value range: 2 - 30. - -If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling). - -If you disable or do not configure this policy, the default behaviors will be used. - -If any of the following policies are configured, this policy has no effect: -1. No auto-restart with logged on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time -3. Specify deadline before auto-restart for update installation - - - -ADMX Info: -- GP English name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartDeadline* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/EngagedRestartDeadlineForFeatureUpdates** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. - -Value type is integer. Default is 14. - -Supported value range: 2 - 30. - -If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling). - -If you disable or do not configure this policy, the default behaviors will be used. - -If any of the following policies are configured, this policy has no effect: -1. No auto-restart with logged on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time -3. Specify deadline before auto-restart for update installation - - - -ADMX Info: -- GP English name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartDeadlineForFeatureUpdates* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/EngagedRestartSnoozeSchedule** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. - -Value type is integer. Default is 3 days. - -Supported value range: 1 - 3. - -If you disable or do not configure this policy, the default behaviors will be used. - -If any of the following policies are configured, this policy has no effect: -1. No auto-restart with logged on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time -3. Specify deadline before auto-restart for update installation - - - -ADMX Info: -- GP English name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartSnoozeSchedule* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/EngagedRestartSnoozeScheduleForFeatureUpdates** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. - -Value type is integer. Default is 3 days. - -Supported value range: 1 - 3. - -If you disable or do not configure this policy, the default behaviors will be used. - -If any of the following policies are configured, this policy has no effect: -1. No auto-restart with logged on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time -3. Specify deadline before auto-restart for update installation - - - -ADMX Info: -- GP English name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartSnoozeScheduleForFeatureUpdates* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/EngagedRestartTransitionSchedule** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. - -Value type is integer. - -Supported value range: 0 - 30. - -If you disable or do not configure this policy, the default behaviors will be used. - -If any of the following policies are configured, this policy has no effect: -1. No auto-restart with logged on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time -3. Specify deadline before auto-restart for update installation - - - -ADMX Info: -- GP English name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartTransitionSchedule* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/EngagedRestartTransitionScheduleForFeatureUpdates** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. - -Value type is integer. - -Supported value range: 0 - 30. - -If you disable or do not configure this policy, the default behaviors will be used. - -If any of the following policies are configured, this policy has no effect: -1. No auto-restart with logged on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time -3. Specify deadline before auto-restart for update installation - - - -ADMX Info: -- GP English name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartTransitionScheduleForFeatureUpdates* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/ExcludeWUDriversInQualityUpdate** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 1 |
- 1 |
- 1 |
- 1 |
- |
- |
-
- - - -> [!NOTE] -> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. - -Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. - - - -ADMX Info: -- GP English name: *Do not include drivers with Windows Updates* -- GP name: *ExcludeWUDriversInQualityUpdate* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Allow Windows Update drivers. -- 1 – Exclude Windows Update drivers. - - - - -
- - -**Update/FillEmptyContentUrls** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
- - - -Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). - -> [!NOTE] -> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. - - - -ADMX Info: -- GP English name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP element: *CorpWUFillEmptyContentUrls* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Disabled. -- 1 – Enabled. - - - - -
- - -**Update/IgnoreMOAppDownloadLimit** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - - - -The following list shows the supported values: - -- 0 (default) – Do not ignore MO download limit for apps and their updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. - - - -To validate this policy: - -1. Enable the policy ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: - - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` - - - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` - -3. Verify that any downloads that are above the download size limit will complete without being paused. - - - - -
- - -**Update/IgnoreMOUpdateDownloadLimit** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - - - - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` - -3. Verify that any downloads that are above the download size limit will complete without being paused. - - - -The following list shows the supported values: - -- 0 (default) – Do not ignore MO download limit for OS updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. - - - -To validate this policy: - -1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: - - - - -
- - -**Update/ManagePreviewBuilds** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 3 |
- 3 |
- 3 |
- 3 |
- |
- 2 |
-
- - - -Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer. - - - -ADMX Info: -- GP English name: *Manage preview builds* -- GP name: *ManagePreviewBuilds* -- GP element: *ManagePreviewBuildsId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - Disable Preview builds -- 1 - Disable Preview builds once the next release is public -- 2 - Enable Preview builds - - - - -
- - -**Update/PauseDeferrals** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. - - -Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. - - -If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *PauseDeferralsId* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Deferrals are not paused. -- 1 – Deferrals are paused. - - - - -
- - -**Update/PauseFeatureUpdates** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 1 |
- 1 |
- 1 |
- 1 |
- |
- |
-
- - - -Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. - - -Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. - - - -ADMX Info: -- GP English name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *PauseFeatureUpdatesId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Feature Updates are not paused. -- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. - - - - -
- - -**Update/PauseFeatureUpdatesStartTime** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. - -Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - -ADMX Info: -- GP English name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *PauseFeatureUpdatesStartId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/PauseQualityUpdates** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 1 |
- 1 |
- 1 |
- 1 |
- |
- 1 |
-
- - - -Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. - - - -ADMX Info: -- GP English name: *Select when Quality Updates are received* -- GP name: *DeferQualityUpdates* -- GP element: *PauseQualityUpdatesId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Quality Updates are not paused. -- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - - - - -
- - -**Update/PauseQualityUpdatesStartTime** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. - -Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - -ADMX Info: -- GP English name: *Select when Quality Updates are received* -- GP name: *DeferQualityUpdates* -- GP element: *PauseQualityUpdatesStartId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/PhoneUpdateRestrictions** - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupdateapproval) instead. - - - - -
- - -**Update/RequireDeferUpgrade** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. - - -Allows the IT admin to set a device to Semi-Annual Channel train. - - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *DeferUpgradePeriodId* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – User gets upgrades from Semi-Annual Channel (Targeted). -- 1 – User gets upgrades from Semi-Annual Channel. - - - - -
- - -**Update/RequireUpdateApproval** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -> [!NOTE] -> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. - - -Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. - -Supported operations are Get and Replace. - - - -The following list shows the supported values: - -- 0 – Not configured. The device installs all applicable updates. -- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. - - - - -
- - -**Update/ScheduleImminentRestartWarning** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. - -The default value is 15 (minutes). - - - -ADMX Info: -- GP English name: *Configure auto-restart warning notifications schedule for updates* -- GP name: *RestartWarnRemind* -- GP element: *RestartWarn* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported values are 15, 30, or 60 (minutes). - - - - -
- - -**Update/ScheduleRestartWarning** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. - -The default value is 4 (hours). - - - -ADMX Info: -- GP English name: *Configure auto-restart warning notifications schedule for updates* -- GP name: *RestartWarnRemind* -- GP element: *RestartWarnRemind* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported values are 2, 4, 8, 12, or 24 (hours). - - - - -
- - -**Update/ScheduledInstallDay** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -Enables the IT admin to schedule the day of the update installation. - -The data type is a integer. - -Supported operations are Add, Delete, Get, and Replace. - - - -ADMX Info: -- GP English name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchDay* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Every day -- 1 – Sunday -- 2 – Monday -- 3 – Tuesday -- 4 – Wednesday -- 5 – Thursday -- 6 – Friday -- 7 – Saturday - - - - -
- - -**Update/ScheduledInstallEveryWeek** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- |
-
- - - -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values: -
-
-
- 0 - no update in the schedule -
- 1 - update is scheduled every week -
- - -**Update/ScheduledInstallFirstWeek** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- |
-
- - - -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values: -
-
-
- 0 - no update in the schedule -
- 1 - update is scheduled every first week of the month -
- - -**Update/ScheduledInstallFourthWeek** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- |
-
- - - -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values: -
-
-
- 0 - no update in the schedule -
- 1 - update is scheduled every fourth week of the month -
- - -**Update/ScheduledInstallSecondWeek** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- |
-
- - - -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values: -
-
-
- 0 - no update in the schedule -
- 1 - update is scheduled every second week of the month -
- - -**Update/ScheduledInstallThirdWeek** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- |
-
- - - -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values: -
-
-
- 0 - no update in the schedule -
- 1 - update is scheduled every third week of the month -
- - -**Update/ScheduledInstallTime** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -Enables the IT admin to schedule the time of the update installation. - -The data type is a integer. - -Supported operations are Add, Delete, Get, and Replace. - -Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. - -The default value is 3. - - - -ADMX Info: -- GP English name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchTime* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/SetAutoRestartNotificationDisable** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. - - - -ADMX Info: -- GP English name: *Turn off auto-restart notifications for update installations* -- GP name: *AutoRestartNotificationDisable* -- GP element: *AutoRestartNotificationSchd* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Enabled -- 1 – Disabled - - - - -
- - -**Update/SetDisablePauseUXAccess** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -This policy allows the IT admin to disable the "Pause Updates" feature. When this policy is enabled, the user cannot access the "Pause updates" feature. - -Value type is integer. Default is 0. Supported values 0, 1. - - - -ADMX Info: -- GP name: *SetDisablePauseUXAccess* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/SetDisableUXWUAccess** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user cannot access the Windows Update scan, download, and install features. - -Value type is integer. Default is 0. Supported values 0, 1. - - - -ADMX Info: -- GP name: *SetDisableUXWUAccess* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/SetEDURestart** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
- - - -Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. - - - -ADMX Info: -- GP English name: *Update Power Policy for Cart Restarts* -- GP name: *SetEDURestart* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - not configured -- 1 - configured - - - - -
- - -**Update/UpdateNotificationLevel** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -Display options for update notifications. This policy allows you to define what Windows Update notifications users see. This policy doesn’t control how and when updates are downloaded and installed. - -Options: - -- 0 (default) – Use the default Windows Update notifications -- 1 – Turn off all notifications, excluding restart warnings -- 2 – Turn off all notifications, including restart warnings - -> [!Important] -> If you choose not to get update notifications and also define other Group policies so that devices aren’t automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. - - - -ADMX Info: -- GP English name: *Display options for update notifications* -- GP name: *UpdateNotificationLevel* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - - - - - - - - - - -
- - -**Update/UpdateServiceUrl** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -> [!Important] -> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile. - -Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. - -Supported operations are Get and Replace. - - - -ADMX Info: -- GP English name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP element: *CorpWUURL_Name* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- Not configured. The device checks for updates from Microsoft Update. -- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. - - - -Example - -``` syntax -
- - -**Update/UpdateServiceUrlAlternate** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 1 |
- 1 |
- 1 |
- 1 |
- |
- |
-
- - - -Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. - -This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. - -To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. - -Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. - -> [!Note] -> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. -> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. -> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. - - - -ADMX Info: -- GP English name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP element: *CorpWUContentHost_Name* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. - - +--- +title: Policy CSP - Update +description: Policy CSP - Update +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/10/2018 +--- + +# Policy CSP - Update + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ + +## Update policies + +
-
+
- + Update/ActiveHoursEnd + +
- + Update/ActiveHoursMaxRange + +
- + Update/ActiveHoursStart + +
- + Update/AllowAutoUpdate + +
- + Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork + +
- + Update/AllowMUUpdateService + +
- + Update/AllowNonMicrosoftSignedUpdate + +
- + Update/AllowUpdateService + +
- + Update/AutoRestartDeadlinePeriodInDays + +
- + Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates + +
- + Update/AutoRestartNotificationSchedule + +
- + Update/AutoRestartRequiredNotificationDismissal + +
- + Update/BranchReadinessLevel + +
- + Update/ConfigureFeatureUpdateUninstallPeriod + +
- + Update/DeferFeatureUpdatesPeriodInDays + +
- + Update/DeferQualityUpdatesPeriodInDays + +
- + Update/DeferUpdatePeriod + +
- + Update/DeferUpgradePeriod + +
- + Update/DetectionFrequency + +
- + Update/DisableDualScan + +
- + Update/EngagedRestartDeadline + +
- + Update/EngagedRestartDeadlineForFeatureUpdates + +
- + Update/EngagedRestartSnoozeSchedule + +
- + Update/EngagedRestartSnoozeScheduleForFeatureUpdates + +
- + Update/EngagedRestartTransitionSchedule + +
- + Update/EngagedRestartTransitionScheduleForFeatureUpdates + +
- + Update/ExcludeWUDriversInQualityUpdate + +
- + Update/FillEmptyContentUrls + +
- + Update/IgnoreMOAppDownloadLimit + +
- + Update/IgnoreMOUpdateDownloadLimit + +
- + Update/ManagePreviewBuilds + +
- + Update/PauseDeferrals + +
- + Update/PauseFeatureUpdates + +
- + Update/PauseFeatureUpdatesStartTime + +
- + Update/PauseQualityUpdates + +
- + Update/PauseQualityUpdatesStartTime + +
- + Update/PhoneUpdateRestrictions + +
- + Update/RequireDeferUpgrade + +
- + Update/RequireUpdateApproval + +
- + Update/ScheduleImminentRestartWarning + +
- + Update/ScheduleRestartWarning + +
- + Update/ScheduledInstallDay + +
- + Update/ScheduledInstallEveryWeek + +
- + Update/ScheduledInstallFirstWeek + +
- + Update/ScheduledInstallFourthWeek + +
- + Update/ScheduledInstallSecondWeek + +
- + Update/ScheduledInstallThirdWeek + +
- + Update/ScheduledInstallTime + +
- + Update/SetAutoRestartNotificationDisable + +
- + Update/SetDisablePauseUXAccess + +
- + Update/SetDisableUXWUAccess + +
- + Update/SetEDURestart + +
- + Update/UpdateNotificationLevel + +
- + Update/UpdateServiceUrl + +
- + Update/UpdateServiceUrlAlternate + +
+ + +**Update/ActiveHoursEnd** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. + +> [!NOTE] +> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. + +Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. + +The default is 17 (5 PM). + + + +ADMX Info: +- GP English name: *Turn off auto-restart for updates during active hours* +- GP name: *ActiveHours* +- GP element: *ActiveHoursEndTime* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/ActiveHoursMaxRange** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. + +Supported values are 8-18. + +The default value is 18 (hours). + + + +ADMX Info: +- GP English name: *Specify active hours range for auto-restarts* +- GP name: *ActiveHoursMaxRange* +- GP element: *ActiveHoursMaxRange* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/ActiveHoursStart** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. + +> [!NOTE] +> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. + +Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. + +The default value is 8 (8 AM). + + + +ADMX Info: +- GP English name: *Turn off auto-restart for updates during active hours* +- GP name: *ActiveHours* +- GP element: *ActiveHoursStartTime* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/AllowAutoUpdate** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +Enables the IT admin to manage automatic update behavior to scan, download, and install updates. + +Supported operations are Get and Replace. + + +> [!IMPORTANT] +> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. + + +If the policy is not configured, end-users get the default behavior (Auto install and restart). + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateMode* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. +- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. +- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. +- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. +- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. +- 5 – Turn off automatic updates. + + + + +
+ + +**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+ + + +Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer. + +A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. + +This policy is accessible through the Update setting in the user interface or Group Policy. + + + +ADMX Info: +- GP English name: *Allow updates to be downloaded automatically over metered connections* +- GP name: *AllowAutoWindowsUpdateDownloadOverMeteredNetwork* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) - Not allowed +- 1 - Allowed + + + + +
+ + +**Update/AllowMUUpdateService** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ |
+ |
+
+ + + +Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AllowMUUpdateServiceId* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 – Not allowed or not configured. +- 1 – Allowed. Accepts updates received through Microsoft Update. + + + + +
+ + +**Update/AllowNonMicrosoftSignedUpdate** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. + +Supported operations are Get and Replace. + +This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. + + + +The following list shows the supported values: + +- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. +- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. + + + + +
+ + +**Update/AllowUpdateService** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. + +Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store + +Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. + +> [!NOTE] +> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. + + + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 – Update service is not allowed. +- 1 (default) – Update service is allowed. + + + + +
+ + +**Update/AutoRestartDeadlinePeriodInDays** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. + +Value type is integer. Default is 7 days. + +Supported values range: 2-30. + +Note that the PC must restart for certain updates to take effect. + +If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. + +If you disable or do not configure this policy, the PC will restart according to the default schedule. + +If any of the following two policies are enabled, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. + + + +ADMX Info: +- GP English name: *Specify deadline before auto-restart for update installation* +- GP name: *AutoRestartDeadline* +- GP element: *AutoRestartDeadline* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. + +Value type is integer. Default is 7 days. + +Supported values range: 2-30. + +Note that the PC must restart for certain updates to take effect. + +If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. + +If you disable or do not configure this policy, the PC will restart according to the default schedule. + +If any of the following two policies are enabled, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. + + + +ADMX Info: +- GP English name: *Specify deadline before auto-restart for update installation* +- GP name: *AutoRestartDeadline* +- GP element: *AutoRestartDeadlineForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/AutoRestartNotificationSchedule** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. + +The default value is 15 (minutes). + + + +ADMX Info: +- GP English name: *Configure auto-restart reminder notifications for updates* +- GP name: *AutoRestartNotificationConfig* +- GP element: *AutoRestartNotificationSchd* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supported values are 15, 30, 60, 120, and 240 (minutes). + + + + +
+ + +**Update/AutoRestartRequiredNotificationDismissal** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. + + + +ADMX Info: +- GP English name: *Configure auto-restart required notification for updates* +- GP name: *AutoRestartRequiredNotificationDismissal* +- GP element: *AutoRestartRequiredNotificationDismissal* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 1 (default) – Auto Dismissal. +- 2 – User Dismissal. + + + + +
+ + +**Update/BranchReadinessLevel** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. + + + +ADMX Info: +- GP English name: *Select when Preview Builds and Feature Updates are received* +- GP name: *DeferFeatureUpdates* +- GP element: *BranchReadinessLevelId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) +- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) +- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709) +- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). +- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. + + + + +
+ + +**Update/ConfigureFeatureUpdateUninstallPeriod** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+ + + +Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. + + + + +
+ + +**Update/DeferFeatureUpdatesPeriodInDays** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ |
+ |
+
+ + + +Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + +Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. + +Supported values are 0-365 days. + +> [!IMPORTANT] +> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. + + + +ADMX Info: +- GP English name: *Select when Preview Builds and Feature Updates are received* +- GP name: *DeferFeatureUpdates* +- GP element: *DeferFeatureUpdatesPeriodId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/DeferQualityUpdatesPeriodInDays** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. + +Supported values are 0-30. + + + +ADMX Info: +- GP English name: *Select when Quality Updates are received* +- GP name: *DeferQualityUpdates* +- GP element: *DeferQualityUpdatesPeriodId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/DeferUpdatePeriod** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. + + +Allows IT Admins to specify update delays for up to 4 weeks. + +Supported values are 0-4, which refers to the number of weeks to defer updates. + +In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following: + +- Update/RequireDeferUpgrade must be set to 1 +- System/AllowTelemetry must be set to 1 or higher + +If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +OS upgrade: +- Maximum deferral: 8 months +- Deferral increment: 1 month +- Update type/notes: + - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 + +Update: +- Maximum deferral: 1 month +- Deferral increment: 1 week +- Update type/notes: + If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. + - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 + - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 + - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F + - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 + - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB + - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F + - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 + - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 + +Other/cannot defer: +- Maximum deferral: No deferral +- Deferral increment: No deferral +- Update type/notes: + Any update category not specifically enumerated above falls into this category. + - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B + + + + + +ADMX Info: +- GP name: *DeferUpgrade* +- GP element: *DeferUpdatePeriodId* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/DeferUpgradePeriod** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +> [!NOTE] +> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. + + +Allows IT Admins to specify additional upgrade delays for up to 8 months. + +Supported values are 0-8, which refers to the number of months to defer upgrades. + +If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + + + +ADMX Info: +- GP name: *DeferUpgrade* +- GP element: *DeferUpgradePeriodId* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/DetectionFrequency** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. + + + +ADMX Info: +- GP English name: *Automatic Updates detection frequency* +- GP name: *DetectionFrequency_Title* +- GP element: *DetectionFrequency_Hour2* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/DisableDualScan** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+ + + +Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. + +For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/). + +This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update." + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + +ADMX Info: +- GP English name: *Do not allow update deferral policies to cause scans against Windows Update* +- GP name: *DisableDualScan* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 - allow scan against Windows Update +- 1 - do not allow update deferral policies to cause scans against Windows Update + + + + +
+ + +**Update/EngagedRestartDeadline** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. + +Value type is integer. Default is 14. + +Supported value range: 2 - 30. + +If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling). + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartDeadline* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/EngagedRestartDeadlineForFeatureUpdates** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. + +Value type is integer. Default is 14. + +Supported value range: 2 - 30. + +If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling). + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartDeadlineForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/EngagedRestartSnoozeSchedule** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. + +Value type is integer. Default is 3 days. + +Supported value range: 1 - 3. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartSnoozeSchedule* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/EngagedRestartSnoozeScheduleForFeatureUpdates** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. + +Value type is integer. Default is 3 days. + +Supported value range: 1 - 3. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartSnoozeScheduleForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/EngagedRestartTransitionSchedule** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. + +Value type is integer. + +Supported value range: 0 - 30. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartTransitionSchedule* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/EngagedRestartTransitionScheduleForFeatureUpdates** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. + +Value type is integer. + +Supported value range: 0 - 30. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartTransitionScheduleForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/ExcludeWUDriversInQualityUpdate** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ |
+ |
+
+ + + +> [!NOTE] +> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + +Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. + + + +ADMX Info: +- GP English name: *Do not include drivers with Windows Updates* +- GP name: *ExcludeWUDriversInQualityUpdate* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Allow Windows Update drivers. +- 1 – Exclude Windows Update drivers. + + + + +
+ + +**Update/FillEmptyContentUrls** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+ + + +Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). + +> [!NOTE] +> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. + + + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP element: *CorpWUFillEmptyContentUrls* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Disabled. +- 1 – Enabled. + + + + +
+ + +**Update/IgnoreMOAppDownloadLimit** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + + + +The following list shows the supported values: + +- 0 (default) – Do not ignore MO download limit for apps and their updates. +- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. + + + +To validate this policy: + +1. Enable the policy ensure the device is on a cellular network. +2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: + - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` + + - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` + +3. Verify that any downloads that are above the download size limit will complete without being paused. + + + + +
+ + +**Update/IgnoreMOUpdateDownloadLimit** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + + + - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` + +3. Verify that any downloads that are above the download size limit will complete without being paused. + + + +The following list shows the supported values: + +- 0 (default) – Do not ignore MO download limit for OS updates. +- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. + + + +To validate this policy: + +1. Enable the policy and ensure the device is on a cellular network. +2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: + + + + +
+ + +**Update/ManagePreviewBuilds** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ 2 |
+
+ + + +Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer. + + + +ADMX Info: +- GP English name: *Manage preview builds* +- GP name: *ManagePreviewBuilds* +- GP element: *ManagePreviewBuildsId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 - Disable Preview builds +- 1 - Disable Preview builds once the next release is public +- 2 - Enable Preview builds + + + + +
+ + +**Update/PauseDeferrals** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. + + +Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. + + +If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + + + +ADMX Info: +- GP name: *DeferUpgrade* +- GP element: *PauseDeferralsId* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Deferrals are not paused. +- 1 – Deferrals are paused. + + + + +
+ + +**Update/PauseFeatureUpdates** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ |
+ |
+
+ + + +Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + + +Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. + + + +ADMX Info: +- GP English name: *Select when Preview Builds and Feature Updates are received* +- GP name: *DeferFeatureUpdates* +- GP element: *PauseFeatureUpdatesId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Feature Updates are not paused. +- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. + + + + +
+ + +**Update/PauseFeatureUpdatesStartTime** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. + +Value type is string. Supported operations are Add, Get, Delete, and Replace. + + + +ADMX Info: +- GP English name: *Select when Preview Builds and Feature Updates are received* +- GP name: *DeferFeatureUpdates* +- GP element: *PauseFeatureUpdatesStartId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/PauseQualityUpdates** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. + + + +ADMX Info: +- GP English name: *Select when Quality Updates are received* +- GP name: *DeferQualityUpdates* +- GP element: *PauseQualityUpdatesId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Quality Updates are not paused. +- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. + + + + +
+ + +**Update/PauseQualityUpdatesStartTime** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. + +Value type is string. Supported operations are Add, Get, Delete, and Replace. + + + +ADMX Info: +- GP English name: *Select when Quality Updates are received* +- GP name: *DeferQualityUpdates* +- GP element: *PauseQualityUpdatesStartId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/PhoneUpdateRestrictions** + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupdateapproval) instead. + + + + +
+ + +**Update/RequireDeferUpgrade** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. + + +Allows the IT admin to set a device to Semi-Annual Channel train. + + + +ADMX Info: +- GP name: *DeferUpgrade* +- GP element: *DeferUpgradePeriodId* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – User gets upgrades from Semi-Annual Channel (Targeted). +- 1 – User gets upgrades from Semi-Annual Channel. + + + + +
+ + +**Update/RequireUpdateApproval** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +> [!NOTE] +> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. + + +Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. + +Supported operations are Get and Replace. + + + +The following list shows the supported values: + +- 0 – Not configured. The device installs all applicable updates. +- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. + + + + +
+ + +**Update/ScheduleImminentRestartWarning** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. + +The default value is 15 (minutes). + + + +ADMX Info: +- GP English name: *Configure auto-restart warning notifications schedule for updates* +- GP name: *RestartWarnRemind* +- GP element: *RestartWarn* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supported values are 15, 30, or 60 (minutes). + + + + +
+ + +**Update/ScheduleRestartWarning** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. + +The default value is 4 (hours). + + + +ADMX Info: +- GP English name: *Configure auto-restart warning notifications schedule for updates* +- GP name: *RestartWarnRemind* +- GP element: *RestartWarnRemind* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supported values are 2, 4, 8, 12, or 24 (hours). + + + + +
+ + +**Update/ScheduledInstallDay** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +Enables the IT admin to schedule the day of the update installation. + +The data type is a integer. + +Supported operations are Add, Delete, Get, and Replace. + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchDay* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Every day +- 1 – Sunday +- 2 – Monday +- 3 – Tuesday +- 4 – Wednesday +- 5 – Thursday +- 6 – Friday +- 7 – Saturday + + + + +
+ + +**Update/ScheduledInstallEveryWeek** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
+ + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values: +
-
+
- 0 - no update in the schedule +
- 1 - update is scheduled every week +
+ + +**Update/ScheduledInstallFirstWeek** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
+ + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values: +
-
+
- 0 - no update in the schedule +
- 1 - update is scheduled every first week of the month +
+ + +**Update/ScheduledInstallFourthWeek** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
+ + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values: +
-
+
- 0 - no update in the schedule +
- 1 - update is scheduled every fourth week of the month +
+ + +**Update/ScheduledInstallSecondWeek** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
+ + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values: +
-
+
- 0 - no update in the schedule +
- 1 - update is scheduled every second week of the month +
+ + +**Update/ScheduledInstallThirdWeek** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
+ + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values: +
-
+
- 0 - no update in the schedule +
- 1 - update is scheduled every third week of the month +
+ + +**Update/ScheduledInstallTime** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +Enables the IT admin to schedule the time of the update installation. + +The data type is a integer. + +Supported operations are Add, Delete, Get, and Replace. + +Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. + +The default value is 3. + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchTime* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/SetAutoRestartNotificationDisable** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. + + + +ADMX Info: +- GP English name: *Turn off auto-restart notifications for update installations* +- GP name: *AutoRestartNotificationDisable* +- GP element: *AutoRestartNotificationSchd* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Enabled +- 1 – Disabled + + + + +
+ + +**Update/SetDisablePauseUXAccess** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +This policy allows the IT admin to disable the "Pause Updates" feature. When this policy is enabled, the user cannot access the "Pause updates" feature. + +Value type is integer. Default is 0. Supported values 0, 1. + + + +ADMX Info: +- GP name: *SetDisablePauseUXAccess* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/SetDisableUXWUAccess** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user cannot access the Windows Update scan, download, and install features. + +Value type is integer. Default is 0. Supported values 0, 1. + + + +ADMX Info: +- GP name: *SetDisableUXWUAccess* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
+ + +**Update/SetEDURestart** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. + + + +ADMX Info: +- GP English name: *Update Power Policy for Cart Restarts* +- GP name: *SetEDURestart* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 - not configured +- 1 - configured + + + + +
+ + +**Update/UpdateNotificationLevel** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +Display options for update notifications. This policy allows you to define what Windows Update notifications users see. This policy doesn’t control how and when updates are downloaded and installed. + +Options: + +- 0 (default) – Use the default Windows Update notifications +- 1 – Turn off all notifications, excluding restart warnings +- 2 – Turn off all notifications, including restart warnings + +> [!Important] +> If you choose not to get update notifications and also define other Group policies so that devices aren’t automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. + + + +ADMX Info: +- GP English name: *Display options for update notifications* +- GP name: *UpdateNotificationLevel* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + + + +
+ + +**Update/UpdateServiceUrl** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +> [!Important] +> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile. + +Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. + +Supported operations are Get and Replace. + + + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP element: *CorpWUURL_Name* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- Not configured. The device checks for updates from Microsoft Update. +- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. + + + +Example + +``` syntax +
+ + +**Update/UpdateServiceUrlAlternate** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ |
+ |
+
+ + + +Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. + +This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. + +To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. + +Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. + +> [!Note] +> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. +> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. +> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. + + + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP element: *CorpWUContentHost_Name* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 00b49c54f7..ead54a0bfb 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -12,6 +12,61 @@ ms.date: 03/12/2018 # Policy CSP - UserRights +
+ +User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. Here is a list for reference, [Well-Known SID Structures](https://msdn.microsoft.com/en-us/library/cc980032.aspx). Even though strings are supported for well-known accounts and groups, it is better to use SIDs because strings are localized for different languages. Some user rights allow things, like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. + +Here is an example syncml for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups. + +```syntax +
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 366bb79824..82818fd8da 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/23/2018 +ms.date: 08/13/2018 --- # RemoteWipe CSP @@ -44,7 +44,28 @@ Supported operation is Exec. **doWipePersistUserData** Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. - + +**AutomaticRedeployment** +Added in Windows 10, next major update. Node for the Autopilot Reset operation. + +**AutomaticRedeployment/doAutomaticRedeployment** +Added in Windows 10, next major update. Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. + +**AutomaticRedeployment/LastError** +Added in Windows 10, next major update. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT). + +**AutomaticRedeployment/Status** +Added in Windows 10, next major update. Status value indicating current state of an Autopilot Reset operation. + +Supported values: + +- 0: Never run (not started). The default state. +- 1: Complete. +- 10: Reset has been scheduled. +- 20: Reset is scheduled and waiting for a reboot. +- 30: Failed during CSP Execute ("Exec" in SyncML). +- 40: Failed: power requirements not met. +- 50: Failed: reset internals failed during reset attempt. ## Related topics diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index 0f0de9b725..b2adadcfd1 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/23/2018 +ms.date: 08/13/2018 --- # RemoteWipe DDF file @@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the DDF for Windows 10, version 1709. +The XML below is the DDF for Windows 10, next major version. ``` syntax @@ -43,7 +43,7 @@ The XML below is the DDF for Windows 10, version 1709.
| Attack surface reduction | Next generation protection | Endpoint detection and response | Auto investigation and remediation | Security posture |
| [Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows) [Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard) [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) [Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security) [Attack surface reduction controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) |
- [Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) [Automated sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) |
- [Alerts queue](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection) [Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline) [Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) [API and SIEM integration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection) [Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection) [Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines) [Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection) [Advanced detonation and analysis service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis) |
- [Automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) [Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated) [Manage automated investigations](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations) [Analyze automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations) |
+ |
| [Hardware based isolation](https://docs.microsoft.com/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows) [Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard) [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) [Network firewall](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security) [Attack surface reduction controls](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) |
+ [Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) [Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) |
+ [Alerts queue](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection) [Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline) [Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) [API and SIEM integration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection) [Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection) [Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines) [Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection) [Advanced detonation and analysis service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis) |
+ [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated) [Manage automated investigations](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations) [Analyze automated investigation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations) |
[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection) [Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection) [Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection) [Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection) [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection) [Reporting and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection) |
+ + +## AV-TEST: Perfect protection score of 6.0/6.0 in the latest test + +**[Analysis of the latest AV-TEST results](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports)** + +The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the protection category which has two scores: real world testing and the AV-TEST reference set (known as "prevalent malware"). + +**Real-World testing** as defined by AV-TEST attempts to test protection against zero-day malware attacks, inclusive of web and email threats. + +**Prevalent malware** as defined by AV-TEST attempts to test detection of widespread and prevalent malware discovered in the last four weeks. + +The below scores are the results of AV-TEST's evaluations on **Windows Defender Antivirus**. + +|Month (2018)|Real-World test score| Prevalent malware test score | AV-TEST report| Microsoft analysis| +|---|---|---|---|---| +|January| 100.00%| 99.92%| [Report (Jan-Feb)](https://www.av-test.org/en/antivirus/home-windows/windows-7/february-2018/kaspersky-lab-internet-security-18.0-180557/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)| +|February| 100.00% | 100.00%|[Report (Jan-Feb)](https://www.av-test.org/en/antivirus/home-windows/windows-7/february-2018/kaspersky-lab-internet-security-18.0-180557/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)| +March |98.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)| +April|100.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)| +May|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) |[Analysis (May-Jun)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) **Latest**| +June|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/)|[Analysis (May-Jun)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) **Latest**| + +||| +|---|---| +||| +
+ + + +## AV-Comparatives: Perfect protection rating of 100% in the latest test + +AV-Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-based antivirus products and mobile security solutions. + +The **Real-World Protection Test (Enterprise)** as defined by AV-Comparatives attempts to evaluate the “real-world” protection capabilities with default settings. The goal is to find out whether the security software protects the computer by either hindering the malware from changing any systems or remediating all changes if any were made. + +The **Malware Protection Test Enterprise** as defined by AV-Comparatives attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. It is only tested every six months. + +The below scores are the results of AV-Comparatives tests on **Windows Defender Antivirus**. The scores represent the percentage of blocked malware. + +|Month (2018)| Real-World test score| Malware test score (every 6 months)| +|---|---|---| +|February| 100.00%| N/A| +|March| 94.40%| 99.90%| +|April| 96.40%| N/A| +|May| 100.00%| N/A| +|June| 99.50%| N/A| +|July| 100.00%| N/A| + +* [Real-World Protection Test (Enterprise) February - June 2018](https://www.av-comparatives.org/tests/real-world-protection-test-february-june-2018/) + +* [Malware Protection Test Enterprise March 2018](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-march-2018-testresult/) + +* [Real-World Protection Test (Enterprise) July 2018](https://www.av-comparatives.org/tests/real-world-protection-test-july-2018-factsheet/) **Latest** + +## To what extent are tests representative of protection in the real world? + +It is important to remember that Microsoft sees a wider and broader set of threats beyond just what’s tested in the AV evaluations highlighted above. The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) also provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into AV tests. Using these tests, customer can view one aspect of their security suite but can't assess the complete protection of all the security features. + +There are other technologies in nearly every endpoint security suite not represented in AV tests that address some of the latest and most sophisticated threats. For example, the capabilities such as attack surface reduction and endpoint detection & response help prevent malware from getting onto devices in the first place. + +Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports). + + diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md new file mode 100644 index 0000000000..f3974e7341 --- /dev/null +++ b/windows/security/threat-protection/intelligence/trojans-malware.md @@ -0,0 +1,42 @@ +--- +title: Trojan malware +description: Learn about how trojans work, deliver malware do your devices, and what you can do to protect yourself. +keywords: security, malware, protection, trojan, download, file, infection +ms.prod: w10 +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +ms.author: ellevin +author: levinec +ms.date: 08/17/2018 +--- + +# Trojans + +Trojans are a common type of malware which, unlike viruses, can’t spread on their own. This means they either have to be downloaded manually or another malware needs to download and install them. + +Trojans often use the same file names as real and legitimate apps. It is easy to accidentally download a trojan thinking that it is a legitimate app. + +## How trojans work + +Trojans can come in many different varieties, but generally they do the following: + +- Download and install other malware, such as viruses or [worms](worms-malware.md). + +- Use the infected device for click fraud. + +- Record keystrokes and websites visited. + +- Send information about the infected device to a malicious hacker including passwords, login details for websites, and browsing history. + +- Give a malicious hacker control over the infected device. + +## How to protect against trojans + +Use the following free Microsoft software to detect and remove it: + +- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows. + +- [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner) + +For more general tips, see [prevent malware infection](prevent-malware-infection.md). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md new file mode 100644 index 0000000000..a96d24adc6 --- /dev/null +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -0,0 +1,39 @@ +--- +title: Understanding malware & other threats +description: Learn about the different types of malware, how they work, and what you can do to protect yourself. +keywords: security, malware +ms.prod: w10 +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +ms.author: ellevin +author: levinec +ms.date: 08/17/2018 +--- +# Understanding malware & other threats + +Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal use of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of your computer and ask for ransom, and more. + +Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims. + +As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Windows Defender Advanced Threat Protection (Windows Defender ATP), businesses can stay protected with next-generation protection and other security capabilities. + +For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic. + +There are many types of malware, including: + +- [Coin miners](coinminer-malware.md) +- [Exploits and exploit kits](exploits-malware.md) +- [Macro malware](macro-malware.md) +- [Phishing](phishing.md) +- [Ransomware](ransomware-malware.md) +- [Rootkits](rootkits-malware.md) +- [Supply chain attacks](supply-chain-malware.md) +- [Tech support scams](support-scams.md) +- [Trojans](trojans-malware.md) +- [Unwanted software](unwanted-software.md) +- [Worms](worms-malware.md) + +Keep up with the latest malware news and research. Check out our [Windows security blogs](http://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections. + +Learn more about [Windows security](https://docs.microsoft.com/en-us/windows/security/index). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md new file mode 100644 index 0000000000..bff16819a8 --- /dev/null +++ b/windows/security/threat-protection/intelligence/unwanted-software.md @@ -0,0 +1,60 @@ +--- +title: Unwanted software +description: Learn about how unwanted software changes your default settings without your consent and what you can do to protect yourself. +keywords: security, malware, protection, unwanted, software, alter, infect +ms.prod: w10 +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +ms.author: ellevin +author: levinec +ms.date: 08/17/2018 +--- +# Unwanted software + +Unwanted software are programs that alter the Windows experience without your consent or control. This can take the form of modified browsing experience, lack of control over downloads and installation, misleading messages, or unauthorized changes to Windows settings. + +## How unwanted software works + +Unwanted software can be introduced when a user searches for and downloads applications from the internet. Some applications are software bundlers, which means that they are packed with other applications. As a result, other programs can be inadvertently installed when the original application is downloaded. + +Here are some indications of unwanted software: + +- There are programs that you did not install and that may be difficult to uninstall + +- Browser features or settings have changed, and you can’t view or modify them + +- There are excessive messages about your device's health or about files and programs + +- There are ads that cannot be easily closed + +Some indicators are harder to recognize because they are less disruptive, but are still unwanted. For example, unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of the browser. + +Microsoft uses an extensive [evaluation criteria](https://www.microsoft.com/wdsi/antimalware-support/malware-and-unwanted-software-evaluation-criteria) to identify unwanted software. + +## How to protect against unwanted software + +To prevent unwanted software infection, download software only from official websites, or from the Microsoft Store. Be wary of downloading software from third-party sites. + +Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [SmartScreen](https://docs.microsoft.com/en-us/microsoft-edge/deploy/index) (also used by Internet Explorer). + +Enable [Windows Defender AV](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. + +Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. + +For more general tips, see [prevent malware infection](prevent-malware-infection.md). + +### What should I do if my device is infected? + +If you suspect that you have unwanted software, you can [submit files for analysis](https://www.microsoft.com/wdsi/filesubmission). + +Some unwanted software adds uninstallation entries, which means that you can **remove them using Settings**. +1. Select the Start button +2. Go to **Settings > Apps > Apps & features**. +3. Select the app you want to uninstall, then click **Uninstall**. + +If you only recently noticed symptoms of unwanted software infection, consider sorting the apps by install date, and then uninstall the most recent apps that you did not install. + +You may also need to **remove browser add-ons** in your browsers, such as Internet Explorer, Firefox, or Chrome. + +In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection). diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md new file mode 100644 index 0000000000..fdf32ac7d8 --- /dev/null +++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md @@ -0,0 +1,51 @@ +--- +title: Virus Information Alliance +description: Information and criteria regarding VIA +keywords: security, malware +ms.prod: w10 +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +ms.author: ellevin +author: levinec +ms.date: 07/12/2018 +--- +# Virus Information Alliance + +The Virus Information Alliance (VIA) is a public antimalware collaboration program for security software providers, security service providers, antimalware testing organizations, and other organizations involved in fighting cybercrime. + +Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft, with the goal of improving protection for Microsoft customers. + +## Better protection for customers against malware + +The VIA program gives members access to information that will help improve protection for Microsoft customers. For example, the program provides malware telemetry and samples to security product teams to identify gaps in their protection and prioritize new threat coverage. + +Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets and setting scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity. + +Microsoft is committed to continuous improvement to help reduce the impact of malware on customers. By sharing malware-related information, Microsoft enables members of this community to work towards better protection for customers. + +## Becoming a member of VIA + +Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA). The criteria is designed to ensure that Microsoft is able to work with security software providers, security service providers, antimalware testing organizations, and other organizations involved in the fight against cybercrime to protect a broad range of customers. + +Members will receive information to facilitate effective malware detection, deterrence, and eradication. This includes technical information on malware as well as metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable. + +VIA has an open enrollment for potential members. + +### Initial selection criteria + +To be eligible for VIA your organization must: + +1. Be willing to sign a non-disclosure agreement with Microsoft. + +2. Fit into one of the following categories: + * Your organization develops antimalware technology that can run on Windows and your organization’s product is commercially available. + * Your organization provides security services to Microsoft customers or for Microsoft products. + * Your organization publishes antimalware testing reports on a regular basis. + * Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public. + +3. Be willing to sign and adhere to the VIA membership agreement. + +If your organization wants to apply and meets this criteria, you can apply using our [membership application form](http://www.microsoft.com/security/portal/partnerships/apply.aspx). + +If you have any questions, you can also contact us using our [partnerships contact form](http://www.microsoft.com/security/portal/partnerships/contactus.aspx). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md new file mode 100644 index 0000000000..d61818ec93 --- /dev/null +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -0,0 +1,57 @@ +--- +title: Microsoft Virus Initiative +description: Information and criteria regarding MVI +keywords: security, malware +ms.prod: w10 +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +ms.author: ellevin +author: levinec +ms.date: 07/12/2018 +--- + +# Microsoft Virus Initiative + +The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows. + +Like the [Virus Information Alliance (VIA)](virus-information-alliance-criteria.md) and the [Coordinated Malware Eradication (CME) program](coordinated-malware-eradication.md), MVI aims to share information about the threat landscape that can help your organization protect its customers. + +MVI members will receive access to Windows APIs (such as those used by Windows Defender Security Center, IOAV, AMSI and Cloud Files), malware telemetry and samples, and invitations to security related events and conferences. + +MVI adds to VIA by requiring members to develop and own antimalware technology, and to be present in the antimalware industry community. + +## Join MVI + +A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology. + +The base criteria for MVI membership are the same as for VIA, but your organization must also offer an antimalware or antivirus product. + +### Initial selection criteria + +Your organization must meet the following eligibility requirements to participate in the MVI program: + +1. Offer an antimalware or antivirus product that is one of the following: + + * Your organization's own creation. + * Licensed from another organization, but your organization adds value such as additional definitions to its signatures. + * Developed by using an SDK (engine and other components) from another MVI Partner AM company and your organization adds a custom UI and/or other functionality (white box versions). + +2. Have your own malware research team unless you distribute a Whitebox product. + +3. Be active and have a positive reputation in the antimalware industry. Your organization is: + + * Certified through independent testing by an industry standard organization such as [ICSA Labs](https://www.icsalabs.com/), [West Coast Labs](http://www.westcoastlabs.com/), [PCSL IT Consulting Institute](https://www.pitci.net/), or [SKD Labs](http://www.skdlabs.com/html/english/). + * Be active in the antimalware industry. For example, participate in industry conferences, be reviewed in an industry standard report such as AV Comparatives, OPSWAT or Gartner. + +4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft. + +5. Be willing to sign a program license agreement. + +6. Be willing to adhere to program requirements for AM apps. These requirements define the behavior of AM apps necessary to ensure proper interaction with Windows. + +7. Submit your AM app to Microsoft for periodic performance testing. + +### Apply to MVI + +If your organization wants to apply and meets this criteria, you can apply using our [membership application form](http://www.microsoft.com/security/portal/partnerships/apply.aspx). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md new file mode 100644 index 0000000000..f1e88eb03c --- /dev/null +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -0,0 +1,48 @@ +--- +title: Worms +description: Learn about worms, how they infect devices, and what you can do to protect yourself. +keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt +ms.prod: w10 +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +ms.author: ellevin +author: levinec +ms.date: 08/17/2018 +--- + +# Worms + +A worm is a type of malware that can copy itself and often spreads through a network by exploiting security vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking sites, network shares, removable drives, and software vulnerabilities. + +## How worms work + +Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities. + +Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infect users running Microsoft security software. Although these worms share some commonalities, it is interesting to note that they also have distinct characteristics. + +* **Jenxcus** has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's installed when users just visit a compromised web page. + +* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues. + +* **Bondat** typically arrives through fictitious Nullsoft Sciptable Install System (NSIS) Java installers and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. + +Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software. + +* [**WannaCrypt**](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (e.g. ransomware). + +This image shows how a worm can quickly spread through a shared USB drive. + + + +### *Figure worm spreading from a shared USB drive* + +## How to protect against worms + +Enable [Windows Defender AV](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. + +Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. + +In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection). + +For more general tips, see [prevent malware infection](prevent-malware-infection.md). \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index a21530fb60..5aa52eaa25 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -19,7 +19,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Minimum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If [Maximum password age](maximum-password-age.md) is between 1 and 999 days, the minimum password age must be less than the maximum password age. If Maximum password age is set to 0, **Minimum password age** can be any value between 0 and 998 days. +The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. ### Possible values diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index 5eab19050c..fe09121625 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -29,6 +29,7 @@ ms.date: 04/30/2018 - System Center Configuration Manager - PowerShell cmdlets - Windows Management Instruction (WMI) +- Mobile Device Management (MDM) @@ -147,6 +148,9 @@ SignatureDefinitionUpdateFileSharesSouce See the following for more information: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +**Use Mobile Device Management (MDM) to manage the update location:** + +See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-signatureupdatefallbackorder) for details on configuring MDM. diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 4aa2447988..cfa4f029ba 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -40,16 +40,17 @@ ms.date: 07/10/2018 You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. -## Quick scan versus full scan +## Quick scan versus full scan and custom scan Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. -Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. +Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md), which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection. -A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans. +A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans. +A custom scan allows you to specify files or folders to scan, such as a USB drive. **Use the mpcmdrum.exe command-line utility to run a scan:** diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index 8e4b44e881..20c62b31b9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -60,7 +60,7 @@ To configure the Group Policy settings described in this topic: Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics. -## Quick scan versus full scan +## Quick scan versus full scan and custom scan When you set up scheduled scans, you can set up whether the scan should be a full or quick scan. @@ -72,6 +72,8 @@ In most instances, this means a quick scan is adequate to find malware that wasn A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md). +A custom scan allows you to specify the files and folders to scan, such as a USB drive. + ## Set up scheduled scans Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans. diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 1d9c033045..123f439d6f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -21,6 +21,7 @@ ### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) +### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 1aec53e4ed..b5fdd41d57 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium author: jsuther1974 -ms.date: 07/16/2018 +ms.date: 08/16/2018 --- # Microsoft recommended block rules @@ -134,7 +134,9 @@ Microsoft recommends that you block the following Microsoft-signed applications
[What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. +[How to take a screenshot on pc without any app](https://rahulit.com/how-to-take-a-screenshot-on-a-dell-laptop/)