deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

add networkisolation csp

Browse Source
This commit is contained in:
Aaron Czechowski 2022-12-20 16:22:22 -08:00
parent 2c4ef999a6
commit f538ea853e
1 changed files with 444 additions and 352 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

790
windows/client-management/mdm/policy-csp-networkisolation.md
View File

@ -1,137 +1,185 @@
--- ---
title: Policy CSP - NetworkIsolation title: NetworkIsolation Policy CSP
description: Learn how Policy CSP - NetworkIsolation contains a list of Enterprise resource domains hosted in the cloud that need to be protected. description: Learn more about the NetworkIsolation Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 12/20/2022
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
--- ---
<!-- Auto-Generated CSP Document -->
<!-- NetworkIsolation-Begin -->
# Policy CSP - NetworkIsolation # Policy CSP - NetworkIsolation
<hr/> <!-- NetworkIsolation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- NetworkIsolation-Editable-End -->
<!--Policies--> <!-- EnterpriseCloudResources-Begin -->
## NetworkIsolation policies ## EnterpriseCloudResources
<dl> <!-- EnterpriseCloudResources-Applicability-Begin -->
<dd> | Scope | Editions | Applicable OS |
<a href="#networkisolation-enterprisecloudresources">NetworkIsolation/EnterpriseCloudResources</a> |:--|:--|:--|
</dd> | :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<dd> <!-- EnterpriseCloudResources-Applicability-End -->
<a href="#networkisolation-enterpriseiprange">NetworkIsolation/EnterpriseIPRange</a>
</dd>
<dd>
<a href="#networkisolation-enterpriseiprangesareauthoritative">NetworkIsolation/EnterpriseIPRangesAreAuthoritative</a>
</dd>
<dd>
<a href="#networkisolation-enterpriseinternalproxyservers">NetworkIsolation/EnterpriseInternalProxyServers</a>
</dd>
<dd>
<a href="#networkisolation-enterprisenetworkdomainnames">NetworkIsolation/EnterpriseNetworkDomainNames</a>
</dd>
<dd>
<a href="#networkisolation-enterpriseproxyservers">NetworkIsolation/EnterpriseProxyServers</a>
</dd>
<dd>
<a href="#networkisolation-enterpriseproxyserversareauthoritative">NetworkIsolation/EnterpriseProxyServersAreAuthoritative</a>
</dd>
<dd>
<a href="#networkisolation-neutralresources">NetworkIsolation/NeutralResources</a>
</dd>
</dl>
<hr/> <!-- EnterpriseCloudResources-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseCloudResources
```
<!-- EnterpriseCloudResources-OmaUri-End -->
<!--Policy--> <!-- EnterpriseCloudResources-Description-Begin -->
<a href="" id="networkisolation-enterprisecloudresources"></a>**NetworkIsolation/EnterpriseCloudResources** <!-- Description-Source-DDF -->
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the EnterpriseInternalProxyServers policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, `<cloudresource>`|`<cloudresource>`|`<cloudresource>`,`<proxy>`|`<cloudresource>`|`<cloudresource>`,`<proxy>`|.
<!-- EnterpriseCloudResources-Description-End -->
<!--SupportedSKUs--> <!-- EnterpriseCloudResources-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnterpriseCloudResources-Editable-End -->
|Edition|Windows 10|Windows 11| <!-- EnterpriseCloudResources-DFProperties-Begin -->
|--- |--- |--- | **Description framework properties**:
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> | Property name | Property value |
<hr/> |:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `|`) |
<!-- EnterpriseCloudResources-DFProperties-End -->
<!--Scope--> <!-- EnterpriseCloudResources-GpMapping-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): **Group policy mapping**:
> [!div class = "checklist"] | Name | Value |
> * Device |:--|:--|
| Name | WF_NetIsolation_EnterpriseCloudResources |
| Friendly Name | Enterprise resource domains hosted in the cloud |
| Element Name | Enterprise cloud resources |
| Location | Computer Configuration |
| Path | Network > Network Isolation |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation |
| ADMX File Name | NetworkIsolation.admx |
<!-- EnterpriseCloudResources-GpMapping-End -->
<hr/> <!-- EnterpriseCloudResources-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnterpriseCloudResources-Examples-End -->
<!--/Scope--> <!-- EnterpriseCloudResources-End -->
<!--Description-->
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;,&lt;*proxy*&gt;|&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;,&lt;*proxy*&gt;|**.
<!--/Description--> <!-- EnterpriseInternalProxyServers-Begin -->
<!--ADMXMapped--> ## EnterpriseInternalProxyServers
ADMX Info:
- GP Friendly name: *Enterprise resource domains hosted in the cloud*
- GP name: *WF_NetIsolation_EnterpriseCloudResources*
- GP element: *WF_NetIsolation_EnterpriseCloudResourcesBox*
- GP path: *Network/Network Isolation*
- GP ADMX file name: *NetworkIsolation.admx*
<!--/ADMXMapped--> <!-- EnterpriseInternalProxyServers-Applicability-Begin -->
<!--/Policy--> | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
<!-- EnterpriseInternalProxyServers-Applicability-End -->
<hr/> <!-- EnterpriseInternalProxyServers-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseInternalProxyServers
```
<!-- EnterpriseInternalProxyServers-OmaUri-End -->
<!--Policy--> <!-- EnterpriseInternalProxyServers-Description-Begin -->
<a href="" id="networkisolation-enterpriseiprange"></a>**NetworkIsolation/EnterpriseIPRange** <!-- Description-Source-DDF -->
This is the comma-separated list of internal proxy servers. For example 157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59. These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the EnterpriseCloudResources policy to force traffic to the matched cloud resources through these proxies.
<!-- EnterpriseInternalProxyServers-Description-End -->
<!--SupportedSKUs--> <!-- EnterpriseInternalProxyServers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnterpriseInternalProxyServers-Editable-End -->
|Edition|Windows 10|Windows 11| <!-- EnterpriseInternalProxyServers-DFProperties-Begin -->
|--- |--- |--- | **Description framework properties**:
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> | Property name | Property value |
<hr/> |:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `,`) |
<!-- EnterpriseInternalProxyServers-DFProperties-End -->
<!--Scope--> <!-- EnterpriseInternalProxyServers-GpMapping-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): **Group policy mapping**:
> [!div class = "checklist"] | Name | Value |
> * Device |:--|:--|
| Name | WF_NetIsolation_Intranet_Proxies |
| Friendly Name | Intranet proxy servers for apps |
| Element Name | Type a proxy server IP address for the intranet |
| Location | Computer Configuration |
| Path | Network > Network Isolation |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation |
| ADMX File Name | NetworkIsolation.admx |
<!-- EnterpriseInternalProxyServers-GpMapping-End -->
<hr/> <!-- EnterpriseInternalProxyServers-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnterpriseInternalProxyServers-Examples-End -->
<!--/Scope--> <!-- EnterpriseInternalProxyServers-End -->
<!--Description-->
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. These ranges are a comma-separated list of IPv4 and IPv6 ranges.
<!--/Description--> <!-- EnterpriseIPRange-Begin -->
<!--ADMXMapped--> ## EnterpriseIPRange
ADMX Info:
- GP Friendly name: *Private network ranges for apps*
- GP name: *WF_NetIsolation_PrivateSubnet*
- GP element: *WF_NetIsolation_PrivateSubnetBox*
- GP path: *Network/Network Isolation*
- GP ADMX file name: *NetworkIsolation.admx*
<!--/ADMXMapped--> <!-- EnterpriseIPRange-Applicability-Begin -->
<!--Example--> | Scope | Editions | Applicable OS |
For example: |:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
<!-- EnterpriseIPRange-Applicability-End -->
<!-- EnterpriseIPRange-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseIPRange
```
<!-- EnterpriseIPRange-OmaUri-End -->
<!-- EnterpriseIPRange-Description-Begin -->
<!-- Description-Source-DDF -->
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges.
<!-- EnterpriseIPRange-Description-End -->
<!-- EnterpriseIPRange-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnterpriseIPRange-Editable-End -->
<!-- EnterpriseIPRange-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `,`) |
<!-- EnterpriseIPRange-DFProperties-End -->
<!-- EnterpriseIPRange-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | WF_NetIsolation_PrivateSubnet |
| Friendly Name | Private network ranges for apps |
| Element Name | Private subnets |
| Location | Computer Configuration |
| Path | Network > Network Isolation |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation |
| ADMX File Name | NetworkIsolation.admx |
<!-- EnterpriseIPRange-GpMapping-End -->
<!-- EnterpriseIPRange-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
**Example of IP ranges**:
```syntax ```syntax
10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255, 10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255,
@ -139,272 +187,316 @@ For example:
2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff, 2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff,
2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
``` ```
<!--/Example--> <!-- EnterpriseIPRange-Examples-End -->
<!--/Policy-->
<hr/> <!-- EnterpriseIPRange-End -->
<!--Policy--> <!-- EnterpriseIPRangesAreAuthoritative-Begin -->
<a href="" id="networkisolation-enterpriseiprangesareauthoritative"></a>**NetworkIsolation/EnterpriseIPRangesAreAuthoritative** ## EnterpriseIPRangesAreAuthoritative
<!--SupportedSKUs--> <!-- EnterpriseIPRangesAreAuthoritative-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- EnterpriseIPRangesAreAuthoritative-Applicability-End -->
|Edition|Windows 10|Windows 11| <!-- EnterpriseIPRangesAreAuthoritative-OmaUri-Begin -->
|--- |--- |--- | ```Device
|Home|No|No| ./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseIPRangesAreAuthoritative
|Pro|Yes|Yes| ```
|Windows SE|No|Yes| <!-- EnterpriseIPRangesAreAuthoritative-OmaUri-End -->
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> <!-- EnterpriseIPRangesAreAuthoritative-Description-Begin -->
<hr/> <!-- Description-Source-ADMX -->
This setting does not apply to desktop apps.
<!--Scope--> Turns off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment.
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"] If you enable this policy setting, it turns off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment. Only network hosts within the address ranges configured via Group Policy will be classified as private.
> * Device
<hr/> If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your private network hosts in the domain corporate environment.
<!--/Scope--> For more information see: <https://go.microsoft.com/fwlink/p/?LinkId=234043>
<!--Description--> <!-- EnterpriseIPRangesAreAuthoritative-Description-End -->
Integer value that tells the client to accept the configured list and not to use heuristics to attempt and find other subnets.
<!--/Description--> <!-- EnterpriseIPRangesAreAuthoritative-Editable-Begin -->
<!--ADMXMapped--> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
ADMX Info: <!-- EnterpriseIPRangesAreAuthoritative-Editable-End -->
- GP Friendly name: *Subnet definitions are authoritative*
- GP name: *WF_NetIsolation_Authoritative_Subnet*
- GP path: *Network/Network Isolation*
- GP ADMX file name: *NetworkIsolation.admx*
<!--/ADMXMapped--> <!-- EnterpriseIPRangesAreAuthoritative-DFProperties-Begin -->
<!--/Policy--> **Description framework properties**:
<hr/> | Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- EnterpriseIPRangesAreAuthoritative-DFProperties-End -->
<!--Policy--> <!-- EnterpriseIPRangesAreAuthoritative-AllowedValues-Begin -->
<a href="" id="networkisolation-enterpriseinternalproxyservers"></a>**NetworkIsolation/EnterpriseInternalProxyServers** **Allowed values**:
<!--SupportedSKUs--> | Value | Description |
|:--|:--|
| 1 | Enable |
| 0 (Default) | Disable |
<!-- EnterpriseIPRangesAreAuthoritative-AllowedValues-End -->
|Edition|Windows 10|Windows 11| <!-- EnterpriseIPRangesAreAuthoritative-GpMapping-Begin -->
|--- |--- |--- | **Group policy mapping**:
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> | Name | Value |
<hr/> |:--|:--|
| Name | WF_NetIsolation_Authoritative_Subnet |
| Friendly Name | Subnet definitions are authoritative |
| Location | Computer Configuration |
| Path | Network > Network Isolation |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation |
| Registry Value Name | DSubnetsAuthoritive |
| ADMX File Name | NetworkIsolation.admx |
<!-- EnterpriseIPRangesAreAuthoritative-GpMapping-End -->
<!-- EnterpriseIPRangesAreAuthoritative-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnterpriseIPRangesAreAuthoritative-Examples-End -->
<!-- EnterpriseIPRangesAreAuthoritative-End -->
<!-- EnterpriseNetworkDomainNames-Begin -->
## EnterpriseNetworkDomainNames
<!-- EnterpriseNetworkDomainNames-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
<!-- EnterpriseNetworkDomainNames-Applicability-End -->
<!-- EnterpriseNetworkDomainNames-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseNetworkDomainNames
```
<!-- EnterpriseNetworkDomainNames-OmaUri-End -->
<!-- EnterpriseNetworkDomainNames-Description-Begin -->
<!-- Description-Source-DDF -->
This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example contoso. sharepoint. com, Fabrikam. com.
**Note**: The client requires domain name to be canonical, otherwise the setting will be rejected by the client. Here are the steps to create canonical domain names:Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft. COM -> microsoft. com. Call IdnToAscii with IDN_USE_STD3_ASCII_RULES as the flags. Call IdnToUnicode with no flags set (dwFlags = 0).
<!-- EnterpriseNetworkDomainNames-Description-End -->
<!-- EnterpriseNetworkDomainNames-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
For more information, see the following APIs:
<!--Scope--> - [IdnToAscii function (winnls.h)](/windows/win32/api/winnls/nf-winnls-idntoascii)
[Scope](./policy-configuration-service-provider.md#policy-scope): - [IdnToUnicode function (winnls.h)](/windows/win32/api/winnls/nf-winnls-idntounicode)
<!-- EnterpriseNetworkDomainNames-Editable-End -->
<!-- EnterpriseNetworkDomainNames-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `,`) |
<!-- EnterpriseNetworkDomainNames-DFProperties-End -->
<!-- EnterpriseNetworkDomainNames-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnterpriseNetworkDomainNames-Examples-End -->
<!-- EnterpriseNetworkDomainNames-End -->
> [!div class = "checklist"] <!-- EnterpriseProxyServers-Begin -->
> * Device ## EnterpriseProxyServers
<hr/> <!-- EnterpriseProxyServers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
<!--/Scope--> |:--|:--|:--|
<!--Description--> | :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
This list is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They're considered to be enterprise network locations. The proxies are only used in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies. <!-- EnterpriseProxyServers-Applicability-End -->
<!--/Description--> <!-- EnterpriseProxyServers-OmaUri-Begin -->
<!--ADMXMapped--> ```Device
ADMX Info: ./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseProxyServers
- GP Friendly name: *Intranet proxy servers for apps* ```
- GP name: *WF_NetIsolation_Intranet_Proxies* <!-- EnterpriseProxyServers-OmaUri-End -->
- GP element: *WF_NetIsolation_Intranet_ProxiesBox*
- GP path: *Network/Network Isolation* <!-- EnterpriseProxyServers-Description-Begin -->
- GP ADMX file name: *NetworkIsolation.admx* <!-- Description-Source-DDF -->
This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example 157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59.
<!--/ADMXMapped--> <!-- EnterpriseProxyServers-Description-End -->
<!--/Policy-->
<!-- EnterpriseProxyServers-Editable-Begin -->
<hr/> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnterpriseProxyServers-Editable-End -->
<!--Policy-->
<a href="" id="networkisolation-enterprisenetworkdomainnames"></a>**NetworkIsolation/EnterpriseNetworkDomainNames** <!-- EnterpriseProxyServers-DFProperties-Begin -->
**Description framework properties**:
<!--SupportedSKUs-->
| Property name | Property value |
|Edition|Windows 10|Windows 11| |:--|:--|
|--- |--- |--- | | Format | chr (string) |
|Home|No|No| | Access Type | Add, Delete, Get, Replace |
|Pro|Yes|Yes| | Allowed Values | List (Delimiter: `,`) |
|Windows SE|No|Yes| <!-- EnterpriseProxyServers-DFProperties-End -->
|Business|Yes|Yes|
|Enterprise|Yes|Yes| <!-- EnterpriseProxyServers-GpMapping-Begin -->
|Education|Yes|Yes| **Group policy mapping**:
<!--/SupportedSKUs--> | Name | Value |
<hr/> |:--|:--|
| Name | WF_NetIsolation_Domain_Proxies |
<!--Scope--> | Friendly Name | Internet proxy servers for apps |
[Scope](./policy-configuration-service-provider.md#policy-scope): | Element Name | Domain Proxies |
| Location | Computer Configuration |
> [!div class = "checklist"] | Path | Network > Network Isolation |
> * Device | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation |
| ADMX File Name | NetworkIsolation.admx |
<hr/> <!-- EnterpriseProxyServers-GpMapping-End -->
<!--/Scope--> <!-- EnterpriseProxyServers-Examples-Begin -->
<!--Description--> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
This is a list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected. These locations will be considered a safe destination for enterprise data to be shared to. This list is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". <!-- EnterpriseProxyServers-Examples-End -->
> [!NOTE] <!-- EnterpriseProxyServers-End -->
> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
<!-- EnterpriseProxyServersAreAuthoritative-Begin -->
Here are the steps to create canonical domain names: ## EnterpriseProxyServersAreAuthoritative
1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -&gt; microsoft.com. <!-- EnterpriseProxyServersAreAuthoritative-Applicability-Begin -->
2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. | Scope | Editions | Applicable OS |
3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0). |:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!--/Description--> <!-- EnterpriseProxyServersAreAuthoritative-Applicability-End -->
<!--/Policy-->
<!-- EnterpriseProxyServersAreAuthoritative-OmaUri-Begin -->
<hr/> ```Device
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseProxyServersAreAuthoritative
<!--Policy--> ```
<a href="" id="networkisolation-enterpriseproxyservers"></a>**NetworkIsolation/EnterpriseProxyServers** <!-- EnterpriseProxyServersAreAuthoritative-OmaUri-End -->
<!--SupportedSKUs--> <!-- EnterpriseProxyServersAreAuthoritative-Description-Begin -->
<!-- Description-Source-ADMX -->
|Edition|Windows 10|Windows 11| This setting does not apply to desktop apps.
|--- |--- |--- |
|Home|No|No| Turns off Windows Network Isolation's automatic proxy discovery in the domain corporate environment.
|Pro|Yes|Yes|
|Windows SE|No|Yes| If you enable this policy setting, it turns off Windows Network Isolation's automatic proxy discovery in the domain corporate environment. Only proxies configured with Group Policy are authoritative. This applies to both Internet and intranet proxies.
|Business|Yes|Yes|
|Enterprise|Yes|Yes| If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your proxy server addresses.
|Education|Yes|Yes|
For more information see: <https://go.microsoft.com/fwlink/p/?LinkId=234043>
<!--/SupportedSKUs--> <!-- EnterpriseProxyServersAreAuthoritative-Description-End -->
<hr/>
<!-- EnterpriseProxyServersAreAuthoritative-Editable-Begin -->
<!--Scope--> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
[Scope](./policy-configuration-service-provider.md#policy-scope): <!-- EnterpriseProxyServersAreAuthoritative-Editable-End -->
> [!div class = "checklist"] <!-- EnterpriseProxyServersAreAuthoritative-DFProperties-Begin -->
> * Device **Description framework properties**:
<hr/> | Property name | Property value |
|:--|:--|
<!--/Scope--> | Format | int |
<!--Description--> | Access Type | Add, Delete, Get, Replace |
This list is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". | Default Value | 0 |
<!-- EnterpriseProxyServersAreAuthoritative-DFProperties-End -->
<!--/Description-->
<!--ADMXMapped--> <!-- EnterpriseProxyServersAreAuthoritative-AllowedValues-Begin -->
ADMX Info: **Allowed values**:
- GP Friendly name: *Internet proxy servers for apps*
- GP name: *WF_NetIsolation_Domain_Proxies* | Value | Description |
- GP element: *WF_NetIsolation_Domain_ProxiesBox* |:--|:--|
- GP path: *Network/Network Isolation* | 1 | Enable |
- GP ADMX file name: *NetworkIsolation.admx* | 0 (Default) | Disable |
<!-- EnterpriseProxyServersAreAuthoritative-AllowedValues-End -->
<!--/ADMXMapped-->
<!--/Policy--> <!-- EnterpriseProxyServersAreAuthoritative-GpMapping-Begin -->
**Group policy mapping**:
<hr/>
| Name | Value |
<!--Policy--> |:--|:--|
<a href="" id="networkisolation-enterpriseproxyserversareauthoritative"></a>**NetworkIsolation/EnterpriseProxyServersAreAuthoritative** | Name | WF_NetIsolation_Authoritative_Proxies |
| Friendly Name | Proxy definitions are authoritative |
<!--SupportedSKUs--> | Location | Computer Configuration |
| Path | Network > Network Isolation |
|Edition|Windows 10|Windows 11| | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation |
|--- |--- |--- | | Registry Value Name | DProxiesAuthoritive |
|Home|No|No| | ADMX File Name | NetworkIsolation.admx |
|Pro|Yes|Yes| <!-- EnterpriseProxyServersAreAuthoritative-GpMapping-End -->
|Windows SE|No|Yes|
|Business|Yes|Yes| <!-- EnterpriseProxyServersAreAuthoritative-Examples-Begin -->
|Enterprise|Yes|Yes| <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
|Education|Yes|Yes| <!-- EnterpriseProxyServersAreAuthoritative-Examples-End -->
<!--/SupportedSKUs--> <!-- EnterpriseProxyServersAreAuthoritative-End -->
<hr/>
<!-- NeutralResources-Begin -->
<!--Scope--> ## NeutralResources
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- NeutralResources-Applicability-Begin -->
> [!div class = "checklist"] | Scope | Editions | Applicable OS |
> * Device |:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<hr/> <!-- NeutralResources-Applicability-End -->
<!--/Scope--> <!-- NeutralResources-OmaUri-Begin -->
<!--Description--> ```Device
Integer value that tells the client to accept the configured list of proxies and not try to detect other work proxies. ./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/NeutralResources
```
<!--/Description--> <!-- NeutralResources-OmaUri-End -->
<!--ADMXMapped-->
ADMX Info: <!-- NeutralResources-Description-Begin -->
- GP Friendly name: *Proxy definitions are authoritative* <!-- Description-Source-DDF -->
- GP name: *WF_NetIsolation_Authoritative_Proxies* List of domain names that can used for work or personal resource.
- GP path: *Network/Network Isolation* <!-- NeutralResources-Description-End -->
- GP ADMX file name: *NetworkIsolation.admx*
<!-- NeutralResources-Editable-Begin -->
<!--/ADMXMapped--> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!--/Policy--> <!-- NeutralResources-Editable-End -->
<hr/> <!-- NeutralResources-DFProperties-Begin -->
**Description framework properties**:
<!--Policy-->
<a href="" id="networkisolation-neutralresources"></a>**NetworkIsolation/NeutralResources** | Property name | Property value |
|:--|:--|
<!--SupportedSKUs--> | Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
|Edition|Windows 10|Windows 11| | Allowed Values | List (Delimiter: `,`) |
|--- |--- |--- | <!-- NeutralResources-DFProperties-End -->
|Home|No|No|
|Pro|Yes|Yes| <!-- NeutralResources-GpMapping-Begin -->
|Windows SE|No|Yes| **Group policy mapping**:
|Business|Yes|Yes|
|Enterprise|Yes|Yes| | Name | Value |
|Education|Yes|Yes| |:--|:--|
| Name | WF_NetIsolation_NeutralResources |
<!--/SupportedSKUs--> | Friendly Name | Domains categorized as both work and personal |
<hr/> | Element Name | Neutral resources |
| Location | Computer Configuration |
<!--Scope--> | Path | Network > Network Isolation |
[Scope](./policy-configuration-service-provider.md#policy-scope): | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation |
| ADMX File Name | NetworkIsolation.admx |
> [!div class = "checklist"] <!-- NeutralResources-GpMapping-End -->
> * Device
<!-- NeutralResources-Examples-Begin -->
<hr/> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- NeutralResources-Examples-End -->
<!--/Scope-->
<!--Description--> <!-- NeutralResources-End -->
List of domain names that can be used for work or personal resource.
<!-- NetworkIsolation-CspMoreInfo-Begin -->
<!--/Description--> <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!--ADMXMapped--> <!-- NetworkIsolation-CspMoreInfo-End -->
ADMX Info:
- GP Friendly name: *Domains categorized as both work and personal* <!-- NetworkIsolation-End -->
- GP name: *WF_NetIsolation_NeutralResources*
- GP element: *WF_NetIsolation_NeutralResourcesBox* ## Related articles
- GP path: *Network/Network Isolation*
- GP ADMX file name: *NetworkIsolation.admx*
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md) [Policy configuration service provider](policy-configuration-service-provider.md)