From 9e1239af66d6f8092136a7cb97896c4ad017168b Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 13 Aug 2018 17:07:02 -0700 Subject: [PATCH 1/6] Fixed typo. --- ...windows-event-forwarding-to-assist-in-intrusion-detection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index e42efc4ec8..35ab89b19d 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -108,7 +108,7 @@ Wecutil ss “testSubscription” /cf:Events ### How frequently are WEF events delivered? -Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Ciewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector. +Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Viewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector. This table outlines the built-in delivery options: From dd78eb3a31924ea6d0dc2dfc6c99c95f9198257b Mon Sep 17 00:00:00 2001 From: tmlyon Date: Fri, 24 Aug 2018 10:22:15 -0700 Subject: [PATCH 2/6] Update hololens-insider.md Updated latest build number --- devices/hololens/hololens-insider.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 05e12d5cce..3e8092ebf3 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -14,7 +14,7 @@ ms.date: 07/27/2018 Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens. ->Latest insider version: 10.0.17720.1000 +>Latest insider version: 10.0.17743.1000 ## How do I install the Insider builds? From bc3ab3a1c0bd2293571b38e9158bb24b09904e3a Mon Sep 17 00:00:00 2001 From: Patti Short <35278231+shortpatti@users.noreply.github.com> Date: Fri, 24 Aug 2018 11:08:20 -0700 Subject: [PATCH 3/6] Revert "Update hololens-insider.md" --- devices/hololens/hololens-insider.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 3e8092ebf3..05e12d5cce 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -14,7 +14,7 @@ ms.date: 07/27/2018 Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens. ->Latest insider version: 10.0.17743.1000 +>Latest insider version: 10.0.17720.1000 ## How do I install the Insider builds? From 6302ea96169bdcac4d449971d19ded7a01919d7b Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 27 Aug 2018 07:58:05 -0700 Subject: [PATCH 4/6] Added text about PE files. --- .../applocker/working-with-applocker-rules.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 4cb0d0390a..8400f6cb17 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -6,8 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: brianlic-msft -ms.date: 09/21/2017 +author: andreabichsel +msauthor: v-anbic +ms.date: 08/27/2018 --- # Working with AppLocker rules @@ -60,6 +61,8 @@ The AppLocker console is organized into rule collections, which are executable f When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used. The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections). + +EXE rules apply to portable executable (PE) files. AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it is a valid PE file.   ## Rule conditions From 36b16c69c16a30fe4e1c7b8b715bb7ae398da85a Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Mon, 27 Aug 2018 15:19:50 +0000 Subject: [PATCH 5/6] Merged PR 10919: format string so it displays properly --- windows/configuration/guidelines-for-assigned-access-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index a032dc458d..eff3c3a789 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -75,7 +75,7 @@ Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh stat > > 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. >2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). ->3. Insert the null character string in between each URL (e.g www.bing.comwww.contoso.com). +>3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). >4. Save the XML file. >5. Open the project again in Windows Configuration Designer. >6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. From 5661799399c8b744c1234bd4b971f8b86194ef3d Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 27 Aug 2018 21:04:03 +0000 Subject: [PATCH 6/6] Merged PR 10932: System policies in Policy CSP - added 4 new policies --- .../policy-configuration-service-provider.md | 18 +- .../mdm/policy-csp-system.md | 2641 +++++++++-------- 2 files changed, 1460 insertions(+), 1199 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 1184e33d18..aa4a9bb4f1 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/17/2018 +ms.date: 08/24/2018 --- # Policy CSP @@ -3114,6 +3114,9 @@ The following diagram shows the Policy configuration service provider in tree fo
System/AllowBuildPreview
+
+ System/AllowDeviceNameInDiagnosticData +
System/AllowEmbeddedMode
@@ -3138,12 +3141,21 @@ The following diagram shows the Policy configuration service provider in tree fo
System/BootStartDriverInitialization
+
+ System/ConfigureMicrosoft365UploadEndpoint +
System/ConfigureTelemetryOptInChangeNotification
System/ConfigureTelemetryOptInSettingsUx
+
+ System/DisableDeviceDelete +
+
+ System/DisableDiagnosticDataViewer +
System/DisableEnterpriseAuthProxy
@@ -4839,12 +4851,16 @@ The following diagram shows the Policy configuration service provider in tree fo - [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates) - [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) - [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview) +- [System/AllowDeviceNameInDiagnosticData](./policy-csp-system.md#system-allowdevicenameindiagnosticdata) - [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders) - [System/AllowLocation](./policy-csp-system.md#system-allowlocation) - [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry) - [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) +- [System/ConfigureMicrosoft365UploadEndpoint](./policy-csp-system.md#system-configuremicrosoft365uploadendpoint) - [System/ConfigureTelemetryOptInChangeNotification](./policy-csp-system.md#system-configuretelemetryoptinchangenotification) - [System/ConfigureTelemetryOptInSettingsUx](./policy-csp-system.md#system-configuretelemetryoptinsettingsux) +- [System/DisableDeviceDelete](./policy-csp-system.md#system-disabledevicedelete) +- [System/DisableDiagnosticDataViewer](./policy-csp-system.md#system-disablediagnosticdataviewer) - [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy) - [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync) - [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 63649af40c..77421bcad4 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,1198 +1,1443 @@ ---- -title: Policy CSP - System -description: Policy CSP - System -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 07/30/2018 ---- - -# Policy CSP - System - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
- - -## System policies - -
-
- System/AllowBuildPreview -
-
- System/AllowEmbeddedMode -
-
- System/AllowExperimentation -
-
- System/AllowFontProviders -
-
- System/AllowLocation -
-
- System/AllowStorageCard -
-
- System/AllowTelemetry -
-
- System/AllowUserToResetPhone -
-
- System/BootStartDriverInitialization -
-
- System/ConfigureTelemetryOptInChangeNotification -
-
- System/ConfigureTelemetryOptInSettingsUx -
-
- System/DisableEnterpriseAuthProxy -
-
- System/DisableOneDriveFileSync -
-
- System/DisableSystemRestore -
-
- System/FeedbackHubAlwaysSaveDiagnosticsLocally -
-
- System/LimitEnhancedDiagnosticDataWindowsAnalytics -
-
- System/TelemetryProxy -
-
- - -
- - -**System/AllowBuildPreview** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. - - -This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. - -If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. - - - -ADMX Info: -- GP English name: *Toggle user control over Insider builds* -- GP name: *AllowBuildPreview* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *AllowBuildPreview.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. -- 1 – Allowed. Users can make their devices available for downloading and installing preview software. -- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. - - - - -
- - -**System/AllowEmbeddedMode** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Specifies whether set general purpose device to be in embedded mode. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - - - - -
- - -**System/AllowExperimentation** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is not supported in Windows 10, version 1607. - -This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. - - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Disabled. -- 1 (default) – Permits Microsoft to configure device settings only. -- 2 – Allows Microsoft to conduct full experimentations. - - - - -
- - -**System/AllowFontProviders** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. - -This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). - -This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content. - -> [!Note] -> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service. - - - -ADMX Info: -- GP English name: *Enable Font Providers* -- GP name: *EnableFontProviders* -- GP path: *Network/Fonts* -- GP ADMX file name: *GroupPolicy.admx* - - - -The following list shows the supported values: - -- 0 - false - No traffic to fs.microsoft.com and only locally-installed fonts are available. -- 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. - - - -To verify if System/AllowFontProviders is set to true: - -- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. - - - - -
- - -**System/AllowLocation** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Specifies whether to allow app access to the Location service. - - -Most restricted value is 0. - -While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. - -When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. - -For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. - - - -ADMX Info: -- GP English name: *Turn off location* -- GP name: *DisableLocation_2* -- GP path: *Windows Components/Location and Sensors* -- GP ADMX file name: *Sensors.admx* - - - -The following list shows the supported values: - -- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. -- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. -- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed. - - - - -
- - -**System/AllowStorageCard** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. -- 1 (default) – Allow a storage card. - - - - -
- - -**System/AllowTelemetry** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
- - - -Allow the device to send diagnostic and usage telemetry data, such as Watson. - -The following tables describe the supported values: - -Windows 8.1 Values: - -- 0 - Not allowed. -- 1 – Allowed, except for Secondary Data Requests. -- 2 (default) – Allowed. - - - -Windows 10 Values: - -- 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. - Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. -- 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. -- 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels. -- 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. - - - - -> [!IMPORTANT] -> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. - - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Allow Telemetry* -- GP name: *AllowTelemetry* -- GP element: *AllowTelemetry* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/AllowUserToResetPhone** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. - -Most restricted value is 0. - - - -The following list shows the supported values: -orted values: - -- 0 – Not allowed. -- 1 (default) – Allowed to reset to factory default settings. - - - - -
- - -**System/BootStartDriverInitialization** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: -- Good: The driver has been signed and has not been tampered with. -- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. -- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. -- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. - -If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. - -If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. - -If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Boot-Start Driver Initialization Policy* -- GP name: *POL_DriverLoadPolicy_Name* -- GP path: *System/Early Launch Antimalware* -- GP ADMX file name: *earlylauncham.admx* - - - - -
- - -**System/ConfigureTelemetryOptInChangeNotification** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting determines whether a device shows notifications about telemetry levels to people on first logon or when changes occur in Settings.  -If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. -If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first logon and when changes occur in Settings. - - - -ADMX Info: -- GP English name: *Configure telemetry opt-in change notifications.* -- GP name: *ConfigureTelemetryOptInChangeNotification* -- GP element: *ConfigureTelemetryOptInChangeNotification* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
- - -**System/ConfigureTelemetryOptInSettingsUx** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting determines whether people can change their own telemetry levels in Settings. This setting should be used in conjunction with the Allow Telemetry settings. - -If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry levels are disabled in Settings, preventing people from changing them. - -If you set this policy setting to "Enable Telemetry opt-in Setings" or don't configure this policy setting, people can change their own telemetry levels in Settings. - -Note: -Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's limit. - - - -ADMX Info: -- GP English name: *Configure telemetry opt-in setting user interface.* -- GP name: *ConfigureTelemetryOptInSettingsUx* -- GP element: *ConfigureTelemetryOptInSettingsUx* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
- - -**System/DisableEnterpriseAuthProxy** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. - - - -ADMX Info: -- GP English name: *Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service* -- GP name: *DisableEnterpriseAuthProxy* -- GP element: *DisableEnterpriseAuthProxy* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/DisableOneDriveFileSync** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: - -* Users cannot access OneDrive from the OneDrive app or file picker. -* Microsoft Store apps cannot access OneDrive using the WinRT API. -* OneDrive does not appear in the navigation pane in File Explorer. -* OneDrive files are not kept in sync with the cloud. -* Users cannot automatically upload photos and videos from the camera roll folder. - -If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. - - - -ADMX Info: -- GP English name: *Prevent the usage of OneDrive for file storage* -- GP name: *PreventOnedriveFileSync* -- GP path: *Windows Components/OneDrive* -- GP ADMX file name: *SkyDrive.admx* - - - -The following list shows the supported values: - -- 0 (default) – False (sync enabled). -- 1 – True (sync disabled). - - - -To validate on Desktop, do the following: - -1. Enable policy. -2. Restart machine. -3. Verify that OneDrive.exe is not running in Task Manager. - - - - -
- - -**System/DisableSystemRestore** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows you to disable System Restore. - -This policy setting allows you to turn off System Restore. - -System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. - -If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. - -If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. - -Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Turn off System Restore* -- GP name: *SR_DisableSR* -- GP path: *System/System Restore* -- GP ADMX file name: *systemrestore.admx* - - - - -
- - -**System/FeedbackHubAlwaysSaveDiagnosticsLocally** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark4check mark4check mark4check mark4check mark4
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Added in Windows 10, version 1803. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. - - - -The following list shows the supported values: - -- 0 (default) - False. The Feedback Hub will not always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. -- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. - - - - -
- - -**System/LimitEnhancedDiagnosticDataWindowsAnalytics** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting, in combination with the System/AllowTelemetry - policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. - -To enable this behavior you must complete two steps: -
    -
  • Enable this policy setting
    • -
  • Set Allow Telemetry to level 2 (Enhanced)
    • -
- -When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://go.microsoft.com/fwlink/?linkid=847594). - -Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. - -If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. - - - -ADMX Info: -- GP English name: *Limit Enhanced diagnostic data to the minimum required by Windows Analytics* -- GP name: *LimitEnhancedDiagnosticDataWindowsAnalytics* -- GP element: *LimitEnhancedDiagnosticDataWindowsAnalytics* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/TelemetryProxy** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. - -If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. - - - -ADMX Info: -- GP English name: *Configure Connected User Experiences and Telemetry* -- GP name: *TelemetryProxy* -- GP element: *TelemetryProxyName* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. - - - - - +--- +title: Policy CSP - System +description: Policy CSP - System +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/24/2018 +--- + +# Policy CSP - System + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ + +## System policies + +
+
+ System/AllowBuildPreview +
+
+ System/AllowDeviceNameInDiagnosticData +
+
+ System/AllowEmbeddedMode +
+
+ System/AllowExperimentation +
+
+ System/AllowFontProviders +
+
+ System/AllowLocation +
+
+ System/AllowStorageCard +
+
+ System/AllowTelemetry +
+
+ System/AllowUserToResetPhone +
+
+ System/BootStartDriverInitialization +
+
+ System/ConfigureMicrosoft365UploadEndpoint +
+
+ System/ConfigureTelemetryOptInChangeNotification +
+
+ System/ConfigureTelemetryOptInSettingsUx +
+
+ System/DisableDeviceDelete +
+
+ System/DisableDiagnosticDataViewer +
+
+ System/DisableEnterpriseAuthProxy +
+
+ System/DisableOneDriveFileSync +
+
+ System/DisableSystemRestore +
+
+ System/FeedbackHubAlwaysSaveDiagnosticsLocally +
+
+ System/LimitEnhancedDiagnosticDataWindowsAnalytics +
+
+ System/TelemetryProxy +
+
+ + +
+ + +**System/AllowBuildPreview** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +> [!NOTE] +> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. + + +This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. + +If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. + + + +ADMX Info: +- GP English name: *Toggle user control over Insider builds* +- GP name: *AllowBuildPreview* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *AllowBuildPreview.admx* + + + +The following list shows the supported values: + +- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. +- 1 – Allowed. Users can make their devices available for downloading and installing preview software. +- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. + + + + +
+ + +**System/AllowDeviceNameInDiagnosticData** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. + + + +ADMX Info: +- GP English name: *Allow device name to be sent in Windows diagnostic data* +- GP name: *AllowDeviceNameInDiagnosticData* +- GP element: *AllowDeviceNameInDiagnosticData* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ + +**System/AllowEmbeddedMode** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Specifies whether set general purpose device to be in embedded mode. + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + + + + +
+ + +**System/AllowExperimentation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +> [!NOTE] +> This policy is not supported in Windows 10, version 1607. + +This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. + + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 – Disabled. +- 1 (default) – Permits Microsoft to configure device settings only. +- 2 – Allows Microsoft to conduct full experimentations. + + + + +
+ + +**System/AllowFontProviders** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. + +This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). + +This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content. + +> [!Note] +> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service. + + + +ADMX Info: +- GP English name: *Enable Font Providers* +- GP name: *EnableFontProviders* +- GP path: *Network/Fonts* +- GP ADMX file name: *GroupPolicy.admx* + + + +The following list shows the supported values: + +- 0 - false - No traffic to fs.microsoft.com and only locally-installed fonts are available. +- 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. + + + +To verify if System/AllowFontProviders is set to true: + +- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. + + + + +
+ + +**System/AllowLocation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Specifies whether to allow app access to the Location service. + + +Most restricted value is 0. + +While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. + +When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. + +For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. + + + +ADMX Info: +- GP English name: *Turn off location* +- GP name: *DisableLocation_2* +- GP path: *Windows Components/Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +The following list shows the supported values: + +- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. +- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. +- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed. + + + + +
+ + +**System/AllowStorageCard** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. +- 1 (default) – Allow a storage card. + + + + +
+ + +**System/AllowTelemetry** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +Allow the device to send diagnostic and usage telemetry data, such as Watson. + +The following tables describe the supported values: + +Windows 8.1 Values: + +- 0 - Not allowed. +- 1 – Allowed, except for Secondary Data Requests. +- 2 (default) – Allowed. + + + +Windows 10 Values: + +- 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. + Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. +- 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. +- 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels. +- 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. + + + + +> [!IMPORTANT] +> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. + + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow Telemetry* +- GP name: *AllowTelemetry* +- GP element: *AllowTelemetry* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/AllowUserToResetPhone** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. + +Most restricted value is 0. + + + +The following list shows the supported values: +orted values: + +- 0 – Not allowed. +- 1 (default) – Allowed to reset to factory default settings. + + + + +
+ + +**System/BootStartDriverInitialization** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: +- Good: The driver has been signed and has not been tampered with. +- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. +- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. +- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. + +If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. + +If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. + +If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Boot-Start Driver Initialization Policy* +- GP name: *POL_DriverLoadPolicy_Name* +- GP path: *System/Early Launch Antimalware* +- GP ADMX file name: *earlylauncham.admx* + + + + +
+ + +**System/ConfigureMicrosoft365UploadEndpoint** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy sets the upload endpoint for this device’s diagnostic data as part of the Microsoft 365 Update Readiness program. + +If your organization is participating in the program and has been instructed to configure a custom upload endpoint, then use this setting to define that endpoint. + +The value for this setting will be provided by Microsoft as part of the onboarding process for the program. + +Value type is string. + + +ADMX Info: +- GP English name: *Configure Microsoft 365 Update Readiness upload endpoint* +- GP name: *ConfigureMicrosoft365UploadEndpoint* +- GP element: *ConfigureMicrosoft365UploadEndpoint* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ + +**System/ConfigureTelemetryOptInChangeNotification** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether a device shows notifications about telemetry levels to people on first logon or when changes occur in Settings.  +If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. +If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first logon and when changes occur in Settings. + + + +ADMX Info: +- GP English name: *Configure telemetry opt-in change notifications.* +- GP name: *ConfigureTelemetryOptInChangeNotification* +- GP element: *ConfigureTelemetryOptInChangeNotification* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/ConfigureTelemetryOptInSettingsUx** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether people can change their own telemetry levels in Settings. This setting should be used in conjunction with the Allow Telemetry settings. + +If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry levels are disabled in Settings, preventing people from changing them. + +If you set this policy setting to "Enable Telemetry opt-in Setings" or don't configure this policy setting, people can change their own telemetry levels in Settings. + +Note: +Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's limit. + + + +ADMX Info: +- GP English name: *Configure telemetry opt-in setting user interface.* +- GP name: *ConfigureTelemetryOptInSettingsUx* +- GP element: *ConfigureTelemetryOptInSettingsUx* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/DisableDeviceDelete** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & Feedback Settings page. +If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device. +If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device. + + + +ADMX Info: +- GP English name: *Disable deleting diagnostic data * +- GP name: *DisableDeviceDelete* +- GP element: *DisableDeviceDelete* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ + +**System/DisableDiagnosticDataViewer** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. +If you enable this policy setting, the Diagnostic Data Viewer will not be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. +If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. + + + +ADMX Info: +- GP English name: *Disable diagnostic data viewer. * +- GP name: *DisableDiagnosticDataViewer* +- GP element: *DisableDiagnosticDataViewer* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ + +**System/DisableEnterpriseAuthProxy** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. + + + +ADMX Info: +- GP English name: *Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service* +- GP name: *DisableEnterpriseAuthProxy* +- GP element: *DisableEnterpriseAuthProxy* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/DisableOneDriveFileSync** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: + +* Users cannot access OneDrive from the OneDrive app or file picker. +* Microsoft Store apps cannot access OneDrive using the WinRT API. +* OneDrive does not appear in the navigation pane in File Explorer. +* OneDrive files are not kept in sync with the cloud. +* Users cannot automatically upload photos and videos from the camera roll folder. + +If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. + + + +ADMX Info: +- GP English name: *Prevent the usage of OneDrive for file storage* +- GP name: *PreventOnedriveFileSync* +- GP path: *Windows Components/OneDrive* +- GP ADMX file name: *SkyDrive.admx* + + + +The following list shows the supported values: + +- 0 (default) – False (sync enabled). +- 1 – True (sync disabled). + + + +To validate on Desktop, do the following: + +1. Enable policy. +2. Restart machine. +3. Verify that OneDrive.exe is not running in Task Manager. + + + + +
+ + +**System/DisableSystemRestore** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Allows you to disable System Restore. + +This policy setting allows you to turn off System Restore. + +System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. + +If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. + +If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. + +Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off System Restore* +- GP name: *SR_DisableSR* +- GP path: *System/System Restore* +- GP ADMX file name: *systemrestore.admx* + + + + +
+ + +**System/FeedbackHubAlwaysSaveDiagnosticsLocally** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark4check mark4check mark4check mark4check mark4
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1803. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. + + + +The following list shows the supported values: + +- 0 (default) - False. The Feedback Hub will not always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. +- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. + + + + +
+ + +**System/LimitEnhancedDiagnosticDataWindowsAnalytics** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting, in combination with the System/AllowTelemetry + policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. + +To enable this behavior you must complete two steps: +
    +
  • Enable this policy setting
    • +
  • Set Allow Telemetry to level 2 (Enhanced)
    • +
+ +When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://go.microsoft.com/fwlink/?linkid=847594). + +Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. + +If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. + + + +ADMX Info: +- GP English name: *Limit Enhanced diagnostic data to the minimum required by Windows Analytics* +- GP name: *LimitEnhancedDiagnosticDataWindowsAnalytics* +- GP element: *LimitEnhancedDiagnosticDataWindowsAnalytics* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/TelemetryProxy** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. + +If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. + + + +ADMX Info: +- GP English name: *Configure Connected User Experiences and Telemetry* +- GP name: *TelemetryProxy* +- GP element: *TelemetryProxyName* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + +