diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 58bb01a6d1..4f14d81f4f 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 02/26/2018
+ms.date: 03/05/2018
---
# Policy CSP
@@ -95,7 +95,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operations are Add, Get, and Delete.
**Policy/ConfigOperations/ADMXInstall**
-
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed polices for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
+
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
> [!NOTE]
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/en-us/library/cc179097.aspx).
@@ -130,7 +130,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operations are Add and Get. Does not support Delete.
> [!Note]
-> The policies supported in Windows 10 S are the same as those supported in Windows 10 Pro with the exception of the policies under ApplicationDefaults. The ApplicationDefaults polices are not supported in Windows 10 S.
+> The policies supported in Windows 10 S are the same as those supported in Windows 10 Pro with the exception of the policies under ApplicationDefaults. The ApplicationDefaults policies are not supported in Windows 10 S.
## Policies
@@ -3627,6 +3627,775 @@ The following diagram shows the Policy configuration service provider in tree fo
- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
+## Policies supported by GP
+
+- [AboveLock/AllowCortanaAboveLock](./policy-csp-abovelock.md#abovelock-allowcortanaabovelock)
+- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
+- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
+- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
+- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup)
+- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts)
+- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux)
+- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver)
+- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions)
+- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions)
+- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload)
+- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode)
+- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal)
+- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser)
+- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1)
+- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2)
+- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3)
+- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4)
+- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5)
+- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl)
+- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch)
+- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider)
+- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot)
+- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot)
+- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval)
+- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries)
+- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode)
+- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache)
+- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist)
+- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist)
+- [ApplicationDefaults/DefaultAssociationsConfiguration](./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration)
+- [ApplicationManagement/AllowAllTrustedApps](./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
+- [ApplicationManagement/AllowGameDVR](./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr)
+- [ApplicationManagement/AllowSharedUserAppData](./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata)
+- [ApplicationManagement/DisableStoreOriginatedApps](./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps)
+- [ApplicationManagement/RequirePrivateStoreOnly](./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly)
+- [ApplicationManagement/RestrictAppDataToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume)
+- [ApplicationManagement/RestrictAppToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume)
+- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation)
+- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism)
+- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms)
+- [Authentication/AllowSecondaryAuthenticationDevice](./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice)
+- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
+- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
+- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
+- [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown)
+- [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill)
+- [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies)
+- [Browser/AllowDeveloperTools](./policy-csp-browser.md#browser-allowdevelopertools)
+- [Browser/AllowDoNotTrack](./policy-csp-browser.md#browser-allowdonottrack)
+- [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions)
+- [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash)
+- [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun)
+- [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate)
+- [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist)
+- [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager)
+- [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups)
+- [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization)
+- [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen)
+- [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary)
+- [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit)
+- [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines)
+- [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages)
+- [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry)
+- [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist)
+- [Browser/HomePages](./policy-csp-browser.md#browser-homepages)
+- [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites)
+- [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge)
+- [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage)
+- [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection)
+- [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride)
+- [Browser/PreventSmartScreenPromptOverrideForFiles](./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles)
+- [Browser/PreventUsingLocalHostIPAddressForWebRTC](./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc)
+- [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites)
+- [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer)
+- [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine)
+- [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer)
+- [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge)
+- [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks)
+- [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera)
+- [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata)
+- [Cellular/LetAppsAccessCellularData_ForceAllowTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forceallowtheseapps)
+- [Cellular/LetAppsAccessCellularData_ForceDenyTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forcedenytheseapps)
+- [Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-userincontroloftheseapps)
+- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
+- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming)
+- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
+- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
+- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
+- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests)
+- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
+- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
+- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
+- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
+- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
+- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
+- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
+- [DataUsage/SetCost3G](./policy-csp-datausage.md#datausage-setcost3g)
+- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
+- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning)
+- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring)
+- [Defender/AllowCloudProtection](./policy-csp-defender.md#defender-allowcloudprotection)
+- [Defender/AllowEmailScanning](./policy-csp-defender.md#defender-allowemailscanning)
+- [Defender/AllowFullScanOnMappedNetworkDrives](./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
+- [Defender/AllowFullScanRemovableDriveScanning](./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
+- [Defender/AllowIOAVProtection](./policy-csp-defender.md#defender-allowioavprotection)
+- [Defender/AllowOnAccessProtection](./policy-csp-defender.md#defender-allowonaccessprotection)
+- [Defender/AllowRealtimeMonitoring](./policy-csp-defender.md#defender-allowrealtimemonitoring)
+- [Defender/AllowScanningNetworkFiles](./policy-csp-defender.md#defender-allowscanningnetworkfiles)
+- [Defender/AllowUserUIAccess](./policy-csp-defender.md#defender-allowuseruiaccess)
+- [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions)
+- [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules)
+- [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor)
+- [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel)
+- [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout)
+- [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications)
+- [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders)
+- [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware)
+- [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess)
+- [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection)
+- [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions)
+- [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths)
+- [Defender/ExcludedProcesses](./policy-csp-defender.md#defender-excludedprocesses)
+- [Defender/RealTimeScanDirection](./policy-csp-defender.md#defender-realtimescandirection)
+- [Defender/ScanParameter](./policy-csp-defender.md#defender-scanparameter)
+- [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime)
+- [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday)
+- [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime)
+- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval)
+- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent)
+- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction)
+- [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
+- [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
+- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
+- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
+- [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
+- [DeliveryOptimization/DOGroupId](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
+- [DeliveryOptimization/DOGroupIdSource](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
+- [DeliveryOptimization/DOMaxCacheAge](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
+- [DeliveryOptimization/DOMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
+- [DeliveryOptimization/DOMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
+- [DeliveryOptimization/DOMaxUploadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
+- [DeliveryOptimization/DOMinBackgroundQos](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
+- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
+- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
+- [DeliveryOptimization/DOMinFileSizeToCache](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
+- [DeliveryOptimization/DOMinRAMAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
+- [DeliveryOptimization/DOModifyCacheDrive](./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
+- [DeliveryOptimization/DOMonthlyUploadDataCap](./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
+- [DeliveryOptimization/DORestrictPeerSelectionBy](./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
+- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
+- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
+- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
+- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
+- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
+- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
+- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage)
+- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
+- [Display/DisablePerProcessDpiForApps](./policy-csp-display.md#display-disableperprocessdpiforapps)
+- [Display/EnablePerProcessDpi](./policy-csp-display.md#display-enableperprocessdpi)
+- [Display/EnablePerProcessDpiForApps](./policy-csp-display.md#display-enableperprocessdpiforapps)
+- [Display/TurnOffGdiDPIScalingForApps](./policy-csp-display.md#display-turnoffgdidpiscalingforapps)
+- [Display/TurnOnGdiDPIScalingForApps](./policy-csp-display.md#display-turnongdidpiscalingforapps)
+- [Education/PreventAddingNewPrinters](./policy-csp-education.md#education-preventaddingnewprinters)
+- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings)
+- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting)
+- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification)
+- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata)
+- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay)
+- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior)
+- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog)
+- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog)
+- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog)
+- [Experience/AllowCortana](./policy-csp-experience.md#experience-allowcortana)
+- [Experience/AllowFindMyDevice](./policy-csp-experience.md#experience-allowfindmydevice)
+- [Experience/AllowTailoredExperiencesWithDiagnosticData](./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata)
+- [Experience/AllowThirdPartySuggestionsInWindowsSpotlight](./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight)
+- [Experience/AllowWindowsConsumerFeatures](./policy-csp-experience.md#experience-allowwindowsconsumerfeatures)
+- [Experience/AllowWindowsSpotlight](./policy-csp-experience.md#experience-allowwindowsspotlight)
+- [Experience/AllowWindowsSpotlightOnActionCenter](./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter)
+- [Experience/AllowWindowsSpotlightOnSettings](./policy-csp-experience.md#experience-allowwindowsspotlightonsettings)
+- [Experience/AllowWindowsSpotlightWindowsWelcomeExperience](./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience)
+- [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips)
+- [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen)
+- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications)
+- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings)
+- [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked)
+- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider)
+- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering)
+- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist)
+- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete)
+- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
+- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
+- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
+- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
+- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
+- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
+- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist)
+- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode)
+- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate)
+- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate)
+- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate)
+- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate)
+- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate)
+- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate)
+- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate)
+- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry)
+- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist)
+- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid)
+- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites)
+- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate)
+- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate)
+- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate)
+- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
+- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
+- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
+- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
+- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
+- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
+- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
+- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
+- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
+- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
+- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
+- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
+- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
+- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
+- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
+- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
+- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
+- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode)
+- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange)
+- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange)
+- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
+- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
+- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
+- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
+- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
+- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
+- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols)
+- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains)
+- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites)
+- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths)
+- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources)
+- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript)
+- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles)
+- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads)
+- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites)
+- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles)
+- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol)
+- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows)
+- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols)
+- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets)
+- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie)
+- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript)
+- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence)
+- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols)
+- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols)
+- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing)
+- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode)
+- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver)
+- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions)
+- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
+- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
+- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
+- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
+- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
+- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
+- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
+- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads)
+- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites)
+- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets)
+- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie)
+- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
+- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
+- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
+- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
+- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads)
+- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites)
+- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets)
+- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie)
+- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence)
+- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions)
+- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads)
+- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets)
+- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie)
+- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions)
+- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads)
+- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets)
+- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie)
+- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions)
+- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions)
+- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions)
+- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
+- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
+- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
+- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
+- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
+- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses)
+- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols)
+- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses)
+- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses)
+- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting)
+- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors)
+- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript)
+- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles)
+- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles)
+- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh)
+- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets)
+- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie)
+- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript)
+- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing)
+- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver)
+- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions)
+- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
+- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
+- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
+- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
+- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
+- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
+- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
+- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
+- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
+- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
+- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist)
+- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings)
+- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice)
+- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads)
+- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets)
+- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
+- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
+- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
+- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
+- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor)
+- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring)
+- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation)
+- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize)
+- [Licensing/AllowWindowsEntitlementReactivation](./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation)
+- [Licensing/DisallowKMSClientOnlineAVSValidation](./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation)
+- [LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts)
+- [LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus)
+- [LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableguestaccountstatus)
+- [LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly)
+- [LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount)
+- [LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount)
+- [LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowundockwithouthavingtologon)
+- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia)
+- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters)
+- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly)
+- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways)
+- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible)
+- [LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallysignsecurechanneldatawhenpossible)
+- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges)
+- [LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-maximummachineaccountpasswordage)
+- [LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-requirestrongsessionkey)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees)
+- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts)
+- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares)
+- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares)
+- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers)
+- [LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon)
+- [LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile)
+- [LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation)
+- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators)
+- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers)
+- [LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation)
+- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated)
+- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations)
+- [LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode)
+- [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation)
+- [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode)
+- [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations)
+- [Location/EnableLocation](./policy-csp-location.md#location-enablelocation)
+- [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe)
+- [Maps/EnableOfflineMapsAutoUpdate](./policy-csp-maps.md#maps-enableofflinemapsautoupdate)
+- [Messaging/AllowMessageSync](./policy-csp-messaging.md#messaging-allowmessagesync)
+- [NetworkIsolation/EnterpriseCloudResources](./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources)
+- [NetworkIsolation/EnterpriseIPRange](./policy-csp-networkisolation.md#networkisolation-enterpriseiprange)
+- [NetworkIsolation/EnterpriseIPRangesAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative)
+- [NetworkIsolation/EnterpriseInternalProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers)
+- [NetworkIsolation/EnterpriseProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers)
+- [NetworkIsolation/EnterpriseProxyServersAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative)
+- [NetworkIsolation/NeutralResources](./policy-csp-networkisolation.md#networkisolation-neutralresources)
+- [Notifications/DisallowNotificationMirroring](./policy-csp-notifications.md#notifications-disallownotificationmirroring)
+- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin)
+- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
+- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
+- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery)
+- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin)
+- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery)
+- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin)
+- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
+- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
+- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
+- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
+- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
+- [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization)
+- [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid)
+- [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed)
+- [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo)
+- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps)
+- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps)
+- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps)
+- [Privacy/LetAppsAccessCalendar](./policy-csp-privacy.md#privacy-letappsaccesscalendar)
+- [Privacy/LetAppsAccessCalendar_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps)
+- [Privacy/LetAppsAccessCalendar_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps)
+- [Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps)
+- [Privacy/LetAppsAccessCallHistory](./policy-csp-privacy.md#privacy-letappsaccesscallhistory)
+- [Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps)
+- [Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps)
+- [Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps)
+- [Privacy/LetAppsAccessCamera](./policy-csp-privacy.md#privacy-letappsaccesscamera)
+- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps)
+- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps)
+- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps)
+- [Privacy/LetAppsAccessContacts](./policy-csp-privacy.md#privacy-letappsaccesscontacts)
+- [Privacy/LetAppsAccessContacts_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps)
+- [Privacy/LetAppsAccessContacts_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps)
+- [Privacy/LetAppsAccessContacts_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps)
+- [Privacy/LetAppsAccessEmail](./policy-csp-privacy.md#privacy-letappsaccessemail)
+- [Privacy/LetAppsAccessEmail_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps)
+- [Privacy/LetAppsAccessEmail_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps)
+- [Privacy/LetAppsAccessEmail_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps)
+- [Privacy/LetAppsAccessLocation](./policy-csp-privacy.md#privacy-letappsaccesslocation)
+- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps)
+- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps)
+- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps)
+- [Privacy/LetAppsAccessMessaging](./policy-csp-privacy.md#privacy-letappsaccessmessaging)
+- [Privacy/LetAppsAccessMessaging_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps)
+- [Privacy/LetAppsAccessMessaging_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps)
+- [Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps)
+- [Privacy/LetAppsAccessMicrophone](./policy-csp-privacy.md#privacy-letappsaccessmicrophone)
+- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps)
+- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps)
+- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps)
+- [Privacy/LetAppsAccessMotion](./policy-csp-privacy.md#privacy-letappsaccessmotion)
+- [Privacy/LetAppsAccessMotion_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps)
+- [Privacy/LetAppsAccessMotion_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps)
+- [Privacy/LetAppsAccessMotion_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps)
+- [Privacy/LetAppsAccessNotifications](./policy-csp-privacy.md#privacy-letappsaccessnotifications)
+- [Privacy/LetAppsAccessNotifications_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps)
+- [Privacy/LetAppsAccessNotifications_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps)
+- [Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps)
+- [Privacy/LetAppsAccessPhone](./policy-csp-privacy.md#privacy-letappsaccessphone)
+- [Privacy/LetAppsAccessPhone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps)
+- [Privacy/LetAppsAccessPhone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps)
+- [Privacy/LetAppsAccessPhone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps)
+- [Privacy/LetAppsAccessRadios](./policy-csp-privacy.md#privacy-letappsaccessradios)
+- [Privacy/LetAppsAccessRadios_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps)
+- [Privacy/LetAppsAccessRadios_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps)
+- [Privacy/LetAppsAccessRadios_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps)
+- [Privacy/LetAppsAccessTasks](./policy-csp-privacy.md#privacy-letappsaccesstasks)
+- [Privacy/LetAppsAccessTasks_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps)
+- [Privacy/LetAppsAccessTasks_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps)
+- [Privacy/LetAppsAccessTasks_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps)
+- [Privacy/LetAppsAccessTrustedDevices](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices)
+- [Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps)
+- [Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps)
+- [Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
+- [Privacy/LetAppsRunInBackground](./policy-csp-privacy.md#privacy-letappsruninbackground)
+- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps)
+- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps)
+- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps)
+- [Privacy/LetAppsSyncWithDevices](./policy-csp-privacy.md#privacy-letappssyncwithdevices)
+- [Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps)
+- [Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps)
+- [Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps)
+- [Privacy/PublishUserActivities](./policy-csp-privacy.md#privacy-publishuseractivities)
+- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages)
+- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging)
+- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance)
+- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance)
+- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely)
+- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel)
+- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection)
+- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving)
+- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection)
+- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication)
+- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client)
+- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service)
+- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient)
+- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice)
+- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement)
+- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client)
+- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service)
+- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication)
+- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient)
+- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice)
+- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials)
+- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel)
+- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts)
+- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener)
+- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener)
+- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication)
+- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients)
+- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess)
+- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers)
+- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout)
+- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory)
+- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
+- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
+- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
+- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch)
+- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad)
+- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems)
+- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation)
+- [Search/AllowUsingDiacritics](./policy-csp-search.md#search-allowusingdiacritics)
+- [Search/AlwaysUseAutoLangDetection](./policy-csp-search.md#search-alwaysuseautolangdetection)
+- [Search/DisableBackoff](./policy-csp-search.md#search-disablebackoff)
+- [Search/DisableRemovableDriveIndexing](./policy-csp-search.md#search-disableremovabledriveindexing)
+- [Search/DoNotUseWebResults](./policy-csp-search.md#search-donotusewebresults)
+- [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb)
+- [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries)
+- [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready)
+- [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips)
+- [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar)
+- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist)
+- [SmartScreen/EnableAppInstallControl](./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol)
+- [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell)
+- [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell)
+- [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate)
+- [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar)
+- [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps)
+- [Start/StartLayout](./policy-csp-start.md#start-startlayout)
+- [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates)
+- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
+- [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview)
+- [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders)
+- [System/AllowLocation](./policy-csp-system.md#system-allowlocation)
+- [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry)
+- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
+- [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy)
+- [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync)
+- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
+- [System/LimitEnhancedDiagnosticDataWindowsAnalytics](./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics)
+- [System/TelemetryProxy](./policy-csp-system.md#system-telemetryproxy)
+- [SystemServices/ConfigureHomeGroupListenerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode)
+- [SystemServices/ConfigureHomeGroupProviderServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode)
+- [SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode)
+- [SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxliveauthmanagerservicestartupmode)
+- [SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivegamesaveservicestartupmode)
+- [SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode)
+- [TextInput/AllowLanguageFeaturesUninstall](./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall)
+- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend)
+- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange)
+- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart)
+- [Update/AllowAutoUpdate](./policy-csp-update.md#update-allowautoupdate)
+- [Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork](./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork)
+- [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice)
+- [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice)
+- [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays)
+- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule)
+- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal)
+- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel)
+- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays)
+- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays)
+- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod)
+- [Update/DeferUpgradePeriod](./policy-csp-update.md#update-deferupgradeperiod)
+- [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency)
+- [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan)
+- [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline)
+- [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule)
+- [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule)
+- [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate)
+- [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls)
+- [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds)
+- [Update/PauseDeferrals](./policy-csp-update.md#update-pausedeferrals)
+- [Update/PauseFeatureUpdates](./policy-csp-update.md#update-pausefeatureupdates)
+- [Update/PauseFeatureUpdatesStartTime](./policy-csp-update.md#update-pausefeatureupdatesstarttime)
+- [Update/PauseQualityUpdates](./policy-csp-update.md#update-pausequalityupdates)
+- [Update/PauseQualityUpdatesStartTime](./policy-csp-update.md#update-pausequalityupdatesstarttime)
+- [Update/RequireDeferUpgrade](./policy-csp-update.md#update-requiredeferupgrade)
+- [Update/ScheduleImminentRestartWarning](./policy-csp-update.md#update-scheduleimminentrestartwarning)
+- [Update/ScheduleRestartWarning](./policy-csp-update.md#update-schedulerestartwarning)
+- [Update/ScheduledInstallDay](./policy-csp-update.md#update-scheduledinstallday)
+- [Update/ScheduledInstallEveryWeek](./policy-csp-update.md#update-scheduledinstalleveryweek)
+- [Update/ScheduledInstallFirstWeek](./policy-csp-update.md#update-scheduledinstallfirstweek)
+- [Update/ScheduledInstallFourthWeek](./policy-csp-update.md#update-scheduledinstallfourthweek)
+- [Update/ScheduledInstallSecondWeek](./policy-csp-update.md#update-scheduledinstallsecondweek)
+- [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek)
+- [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime)
+- [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable)
+- [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart)
+- [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl)
+- [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate)
+- [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller)
+- [UserRights/AccessFromNetwork](./policy-csp-userrights.md#userrights-accessfromnetwork)
+- [UserRights/ActAsPartOfTheOperatingSystem](./policy-csp-userrights.md#userrights-actaspartoftheoperatingsystem)
+- [UserRights/AllowLocalLogOn](./policy-csp-userrights.md#userrights-allowlocallogon)
+- [UserRights/BackupFilesAndDirectories](./policy-csp-userrights.md#userrights-backupfilesanddirectories)
+- [UserRights/ChangeSystemTime](./policy-csp-userrights.md#userrights-changesystemtime)
+- [UserRights/CreateGlobalObjects](./policy-csp-userrights.md#userrights-createglobalobjects)
+- [UserRights/CreatePageFile](./policy-csp-userrights.md#userrights-createpagefile)
+- [UserRights/CreatePermanentSharedObjects](./policy-csp-userrights.md#userrights-createpermanentsharedobjects)
+- [UserRights/CreateSymbolicLinks](./policy-csp-userrights.md#userrights-createsymboliclinks)
+- [UserRights/CreateToken](./policy-csp-userrights.md#userrights-createtoken)
+- [UserRights/DebugPrograms](./policy-csp-userrights.md#userrights-debugprograms)
+- [UserRights/DenyAccessFromNetwork](./policy-csp-userrights.md#userrights-denyaccessfromnetwork)
+- [UserRights/DenyLocalLogOn](./policy-csp-userrights.md#userrights-denylocallogon)
+- [UserRights/DenyRemoteDesktopServicesLogOn](./policy-csp-userrights.md#userrights-denyremotedesktopserviceslogon)
+- [UserRights/EnableDelegation](./policy-csp-userrights.md#userrights-enabledelegation)
+- [UserRights/GenerateSecurityAudits](./policy-csp-userrights.md#userrights-generatesecurityaudits)
+- [UserRights/ImpersonateClient](./policy-csp-userrights.md#userrights-impersonateclient)
+- [UserRights/IncreaseSchedulingPriority](./policy-csp-userrights.md#userrights-increaseschedulingpriority)
+- [UserRights/LoadUnloadDeviceDrivers](./policy-csp-userrights.md#userrights-loadunloaddevicedrivers)
+- [UserRights/LockMemory](./policy-csp-userrights.md#userrights-lockmemory)
+- [UserRights/ManageAuditingAndSecurityLog](./policy-csp-userrights.md#userrights-manageauditingandsecuritylog)
+- [UserRights/ManageVolume](./policy-csp-userrights.md#userrights-managevolume)
+- [UserRights/ModifyFirmwareEnvironment](./policy-csp-userrights.md#userrights-modifyfirmwareenvironment)
+- [UserRights/ModifyObjectLabel](./policy-csp-userrights.md#userrights-modifyobjectlabel)
+- [UserRights/ProfileSingleProcess](./policy-csp-userrights.md#userrights-profilesingleprocess)
+- [UserRights/RemoteShutdown](./policy-csp-userrights.md#userrights-remoteshutdown)
+- [UserRights/RestoreFilesAndDirectories](./policy-csp-userrights.md#userrights-restorefilesanddirectories)
+- [UserRights/TakeOwnership](./policy-csp-userrights.md#userrights-takeownership)
+- [Wifi/AllowAutoConnectToWiFiSenseHotspots](./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots)
+- [Wifi/AllowInternetSharing](./policy-csp-wifi.md#wifi-allowinternetsharing)
+- [WindowsDefenderSecurityCenter/CompanyName](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname)
+- [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui)
+- [WindowsDefenderSecurityCenter/DisableAppBrowserUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui)
+- [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui)
+- [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications)
+- [WindowsDefenderSecurityCenter/DisableFamilyUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui)
+- [WindowsDefenderSecurityCenter/DisableHealthUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui)
+- [WindowsDefenderSecurityCenter/DisableNetworkUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui)
+- [WindowsDefenderSecurityCenter/DisableNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications)
+- [WindowsDefenderSecurityCenter/DisableVirusUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui)
+- [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride)
+- [WindowsDefenderSecurityCenter/Email](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email)
+- [WindowsDefenderSecurityCenter/EnableCustomizedToasts](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts)
+- [WindowsDefenderSecurityCenter/EnableInAppCustomization](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization)
+- [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery)
+- [WindowsDefenderSecurityCenter/HideSecureBoot](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot)
+- [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting)
+- [WindowsDefenderSecurityCenter/Phone](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone)
+- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url)
+- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace)
+- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace)
+- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
+- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
+- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching)
+- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc)
+- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing)
+
## Policies supported by IoT Core
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index bdcbc5f8c4..d0b77e50dc 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - AboveLock
@@ -127,6 +127,14 @@ The following list shows the supported values:
Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
+
+ADMX Info:
+- GP English name: *Allow Cortana above lock screen*
+- GP name: *AllowCortanaAboveLock*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 4bea893b54..925504ac0d 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - ActiveXControls
@@ -63,11 +63,11 @@ ms.date: 01/30/2018
-This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
+This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
-If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.
+If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.
-If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.
+If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.
Note: Wild card characters cannot be used when specifying the host URLs.
@@ -79,14 +79,14 @@ Note: Wild card characters cannot be used when specifying the host URLs.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Approved Installation Sites for ActiveX Controls*
- GP name: *ApprovedActiveXInstallSites*
- GP path: *Windows Components/ActiveX Installer Service*
- GP ADMX file name: *ActiveXInstallService.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 0e45ce047c..dba53edc54 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - ApplicationDefaults
@@ -68,6 +68,15 @@ Added in Windows 10, version 1703. This policy allows an administrator to set de
If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
+
+ADMX Info:
+- GP English name: *Set a default associations configuration file*
+- GP name: *DefaultAssociationsConfiguration*
+- GP element: *DefaultAssociationsConfiguration_TextBox*
+- GP path: *File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
To create create the SyncML, follow these steps:
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 9ee5181bd2..5822ec21c5 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - ApplicationManagement
@@ -98,6 +98,14 @@ Specifies whether non Microsoft Store apps are allowed.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow all trusted apps to install*
+- GP name: *AppxDeploymentAllowAllTrustedApps*
+- GP path: *Windows Components/App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
The following list shows the supported values:
@@ -152,6 +160,14 @@ Specifies whether automatic update of apps from Microsoft Store are allowed.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Turn off Automatic Download and Install of updates*
+- GP name: *DisableAutoInstall*
+- GP path: *Windows Components/Store*
+- GP ADMX file name: *WindowsStore.admx*
+
+
The following list shows the supported values:
@@ -204,6 +220,14 @@ Specifies whether developer unlock is allowed.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allows development of Windows Store apps and installing them from an integrated development environment (IDE)*
+- GP name: *AllowDevelopmentWithoutDevLicense*
+- GP path: *Windows Components/App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
The following list shows the supported values:
@@ -260,6 +284,14 @@ Specifies whether DVR and broadcasting is allowed.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Enables or disables Windows Game Recording and Broadcasting*
+- GP name: *AllowGameDVR*
+- GP path: *Windows Components/Windows Game Recording and Broadcasting*
+- GP ADMX file name: *GameDVR.admx*
+
+
The following list shows the supported values:
@@ -312,6 +344,14 @@ Specifies whether multiple users of the same app can share data.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow a Windows app to share application data between users*
+- GP name: *AllowSharedLocalAppData*
+- GP path: *Windows Components/App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
The following list shows the supported values:
@@ -479,6 +519,14 @@ Value evaluation rule - The information for PolicyManager is opaque. There is no
Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded.
+
+ADMX Info:
+- GP English name: *Disable all apps from Microsoft Store *
+- GP name: *DisableStoreApps*
+- GP path: *Windows Components/Store*
+- GP ADMX file name: *WindowsStore.admx*
+
+
The following list shows the supported values:
@@ -532,6 +580,14 @@ Allows disabling of the retail catalog and only enables the Private store.
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Only display the private store within the Microsoft Store*
+- GP name: *RequirePrivateStoreOnly_1*
+- GP path: *Windows Components/Store*
+- GP ADMX file name: *WindowsStore.admx*
+
+
The following list shows the supported values:
@@ -584,6 +640,14 @@ Specifies whether application data is restricted to the system drive.
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Prevent users' app data from being stored on non-system volumes*
+- GP name: *RestrictAppDataToSystemVolume*
+- GP path: *Windows Components/App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
The following list shows the supported values:
@@ -636,6 +700,14 @@ Specifies whether the installation of applications is restricted to the system d
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Disable installing Windows apps on non-system volumes*
+- GP name: *DisableDeploymentToNonSystemVolumes*
+- GP path: *Windows Components/App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index 5ec36f8881..bbb346e93c 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - AppVirtualization
@@ -154,14 +154,14 @@ This policy setting allows you to enable or disable Microsoft Application Virtua
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable App-V Client*
- GP name: *EnableAppV*
- GP path: *System/App-V*
- GP ADMX file name: *appv.admx*
-
+
@@ -212,14 +212,14 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Dynamic Virtualization*
- GP name: *Virtualization_JITVEnable*
- GP path: *System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
-
+
@@ -270,14 +270,14 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable automatic cleanup of unused appv packages*
- GP name: *PackageManagement_AutoCleanupEnable*
- GP path: *System/App-V/PackageManagement*
- GP ADMX file name: *appv.admx*
-
+
@@ -328,14 +328,14 @@ Enables scripts defined in the package manifest of configuration files that shou
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Package Scripts*
- GP name: *Scripting_Enable_Package_Scripts*
- GP path: *System/App-V/Scripting*
- GP ADMX file name: *appv.admx*
-
+
@@ -386,14 +386,14 @@ Enables a UX to display to the user when a publishing refresh is performed on th
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Publishing Refresh UX*
- GP name: *Enable_Publishing_Refresh_UX*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
+
@@ -454,14 +454,14 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Reporting Server*
- GP name: *Reporting_Server_Policy*
- GP path: *System/App-V/Reporting*
- GP ADMX file name: *appv.admx*
-
+
@@ -512,14 +512,14 @@ Specifies the file paths relative to %userprofile% that do not roam with a user'
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Roaming File Exclusions*
- GP name: *Integration_Roaming_File_Exclusions*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
+
@@ -570,14 +570,14 @@ Specifies the registry paths that do not roam with a user profile. Example usage
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Roaming Registry Exclusions*
- GP name: *Integration_Roaming_Registry_Exclusions*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
+
@@ -628,14 +628,14 @@ Specifies how new packages should be loaded automatically by App-V on a specific
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify what to load in background (aka AutoLoad)*
- GP name: *Steaming_Autoload*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -686,14 +686,14 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Migration Mode*
- GP name: *Client_Coexistence_Enable_Migration_mode*
- GP path: *System/App-V/Client Coexistence*
- GP ADMX file name: *appv.admx*
-
+
@@ -744,14 +744,14 @@ Specifies the location where symbolic links are created to the current version o
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Integration Root User*
- GP name: *Integration_Root_User*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
+
@@ -802,14 +802,14 @@ Specifies the location where symbolic links are created to the current version o
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Integration Root Global*
- GP name: *Integration_Root_Global*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
+
@@ -878,14 +878,14 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 1 Settings*
- GP name: *Publishing_Server1_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
+
@@ -954,14 +954,14 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 2 Settings*
- GP name: *Publishing_Server2_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
+
@@ -1030,14 +1030,14 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 3 Settings*
- GP name: *Publishing_Server3_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
+
@@ -1106,14 +1106,14 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 4 Settings*
- GP name: *Publishing_Server4_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
+
@@ -1182,14 +1182,14 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 5 Settings*
- GP name: *Publishing_Server5_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
+
@@ -1240,14 +1240,14 @@ Specifies the path to a valid certificate in the certificate store.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Certificate Filter For Client SSL*
- GP name: *Streaming_Certificate_Filter_For_Client_SSL*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1298,14 +1298,14 @@ This setting controls whether virtualized applications are launched on Windows 8
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
- GP name: *Streaming_Allow_High_Cost_Launch*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1356,14 +1356,14 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Location Provider*
- GP name: *Streaming_Location_Provider*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1414,14 +1414,14 @@ Specifies directory where all new applications and updates will be installed.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Package Installation Root*
- GP name: *Streaming_Package_Installation_Root*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1472,14 +1472,14 @@ Overrides source location for downloading package content.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Package Source Root*
- GP name: *Streaming_Package_Source_Root*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1530,14 +1530,14 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Reestablishment Interval*
- GP name: *Streaming_Reestablishment_Interval*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1588,14 +1588,14 @@ Specifies the number of times to retry a dropped session.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Reestablishment Retries*
- GP name: *Streaming_Reestablishment_Retries*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1646,14 +1646,14 @@ Specifies that streamed package contents will be not be saved to the local hard
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Shared Content Store (SCS) mode*
- GP name: *Streaming_Shared_Content_Store_Mode*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1704,14 +1704,14 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Support for BranchCache*
- GP name: *Streaming_Support_Branch_Cache*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1762,14 +1762,14 @@ Verifies Server certificate revocation status before streaming using HTTPS.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Verify certificate revocation list*
- GP name: *Streaming_Verify_Certificate_Revocation_List*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
+
@@ -1820,14 +1820,14 @@ Specifies a list of process paths (may contain wildcards) which are candidates f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Virtual Component Process Allow List*
- GP name: *Virtualization_JITVAllowList*
- GP path: *System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index 3cd9a8202d..c80e44f614 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - AttachmentManager
@@ -85,14 +85,14 @@ If you do not configure this policy setting, Windows marks file attachments with
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not preserve zone information in file attachments*
- GP name: *AM_MarkZoneOnSavedAtttachments*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
-
+
@@ -149,14 +149,14 @@ If you do not configure this policy setting, Windows hides the check box and Unb
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Hide mechanisms to remove zone information*
- GP name: *AM_RemoveZoneInfo*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
-
+
@@ -197,7 +197,7 @@ ADMX Info:
-This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
+This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
@@ -213,14 +213,14 @@ If you do not configure this policy setting, Windows does not call the registere
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Notify antivirus programs when opening attachments*
- GP name: *AM_CallIOfficeAntiVirus*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 881ae7ff19..02a363e078 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Authentication
@@ -286,6 +286,14 @@ Added in Windows 10, version 1607. Allows secondary authentication devices to w
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
+
+ADMX Info:
+- GP English name: *Allow companion device for secondary authentication*
+- GP name: *MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice*
+- GP path: *Windows Components/Microsoft Secondary Authentication Factor*
+- GP ADMX file name: *DeviceCredential.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index ea02a39c19..2e2ecaf426 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Autoplay
@@ -84,14 +84,14 @@ If you disable or do not configure this policy setting, AutoPlay is enabled for
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Autoplay for non-volume devices*
- GP name: *NoAutoplayfornonVolume*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
-
+
@@ -156,14 +156,14 @@ If you disable or not configure this policy setting, Windows Vista or later will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set the default behavior for AutoRun*
- GP name: *NoAutorun*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
-
+
@@ -229,14 +229,14 @@ Note: This policy setting appears in both the Computer Configuration and User Co
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Autoplay*
- GP name: *Autorun*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 762300cba0..22fc158c08 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/31/2018
+ms.date: 03/05/2018
---
# Policy CSP - Browser
@@ -188,6 +188,14 @@ Added in Windows 10, version 1703. Specifies whether to allow the address bar dr
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Address bar drop-down list suggestions*
+- GP name: *AllowAddressBarDropdown*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -241,6 +249,14 @@ Specifies whether autofill on websites is allowed.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Configure Autofill*
+- GP name: *AllowAutofill*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -366,14 +382,7 @@ The following list shows the supported values:
- 0 - Disable. Microsoft Edge cannot retrieve a configuration
- 1 - Enable (default). Microsoft Edge can retrieve a configuration for Books Library
-
-
-
-
-
-
-
@@ -421,6 +430,15 @@ Specifies whether cookies are allowed.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Configure cookies*
+- GP name: *Cookies*
+- GP element: *CookiesListBox*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -487,6 +505,14 @@ Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turni
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Developer Tools*
+- GP name: *AllowDeveloperTools*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -540,6 +566,14 @@ Specifies whether Do Not Track headers are allowed.
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Configure Do Not Track*
+- GP name: *AllowDoNotTrack*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -600,6 +634,14 @@ To verify AllowDoNotTrack is set to 0 (not allowed):
Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.
+
+ADMX Info:
+- GP English name: *Allow Extensions*
+- GP name: *AllowExtensions*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -651,6 +693,14 @@ The following list shows the supported values:
Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge.
+
+ADMX Info:
+- GP English name: *Allow Adobe Flash*
+- GP name: *AllowFlash*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -702,6 +752,14 @@ The following list shows the supported values:
Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
+
+ADMX Info:
+- GP English name: *Configure the Adobe Flash Click-to-Run setting*
+- GP name: *AllowFlashClickToRun*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -755,6 +813,14 @@ Specifies whether InPrivate browsing is allowed on corporate networks.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow InPrivate browsing*
+- GP name: *AllowInPrivate*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -811,6 +877,14 @@ If you enable or don’t configure this setting, Microsoft Edge periodically dow
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Microsoft Compatibility List*
+- GP name: *AllowCVList*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -864,6 +938,14 @@ Specifies whether saving and managing passwords locally on the device is allowed
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Configure Password Manager*
+- GP name: *AllowPasswordManager*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -926,6 +1008,14 @@ Specifies whether pop-up blocker is allowed or enabled.
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Configure Pop-up Blocker*
+- GP name: *AllowPopups*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -990,6 +1080,14 @@ If this setting is turned on or not configured, users can add new search engines
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow search engine customization*
+- GP name: *AllowSearchEngineCustomization*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1043,6 +1141,14 @@ Specifies whether search suggestions are allowed in the address bar.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Configure search suggestions in Address bar*
+- GP name: *AllowSearchSuggestionsinAddressBar*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1096,6 +1202,14 @@ Specifies whether Windows Defender SmartScreen is allowed.
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Configure Windows Defender SmartScreen*
+- GP name: *AllowSmartScreen*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1156,6 +1270,14 @@ To verify AllowSmartScreen is set to 0 (not allowed):
Added in Windows 10, next majot update. Always show the Books Library in Microsoft Edge
+
+ADMX Info:
+- GP English name: *Always show the Books Library in Microsoft Edge*
+- GP name: *AlwaysEnableBooksLibrary*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1209,6 +1331,14 @@ Added in Windows 10, version 1703. Specifies whether to clear browsing data on e
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Allow clearing browsing data on exit*
+- GP name: *AllowClearingBrowsingDataOnExit*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1279,6 +1409,15 @@ If this setting is not configured, the search engines used are the ones that are
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Configure additional search engines*
+- GP name: *ConfigureAdditionalSearchEngines*
+- GP element: *ConfigureAdditionalSearchEngines_Prompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1338,6 +1477,14 @@ Added in Windows 10, version 1703. Boolean value that specifies whether the lock
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Disable lockdown of Start pages*
+- GP name: *DisableLockdownOfStartPages*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1391,6 +1538,14 @@ This policy setting lets you decide how much data to send to Microsoft about the
If you enable this setting, Microsoft Edge sends additional diagnostic data, on top of the basic diagnostic data, from the Books tab. If you disable or don't configure this setting, Microsoft Edge only sends basic diagnostic data, depending on your device configuration.
+
+ADMX Info:
+- GP English name: *Allow extended telemetry for the Books tab*
+- GP name: *EnableExtendedBooksTelemetry*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1446,6 +1601,15 @@ The following list shows the supported values:
Allows the user to specify an URL of an enterprise site list.
+
+ADMX Info:
+- GP English name: *Configure the Enterprise Mode Site List*
+- GP name: *EnterpriseModeSiteList*
+- GP element: *EnterSiteListPrompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1604,6 +1768,15 @@ Starting in Windows 10, version 1703, if you don’t want to send traffic to Mi
> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
+
+ADMX Info:
+- GP English name: *Configure Start pages*
+- GP name: *HomePages*
+- GP element: *HomePagesPrompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
@@ -1657,6 +1830,14 @@ If you disable or don't configure this setting (default), employees can add, imp
Data type is integer.
+
+ADMX Info:
+- GP English name: *Prevent changes to Favorites on Microsoft Edge*
+- GP name: *LockdownFavorites*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1708,6 +1889,14 @@ The following list shows the supported values:
Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
+
+ADMX Info:
+- GP English name: *Prevent access to the about:flags page in Microsoft Edge*
+- GP name: *PreventAccessToAboutFlagsInMicrosoftEdge*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1761,6 +1950,14 @@ Added in Windows 10, version 1703. Specifies whether to enable or disable the Fi
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Prevent the First Run webpage from opening on Microsoft Edge*
+- GP name: *PreventFirstRunPage*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1814,6 +2011,14 @@ Added in Windows 10, version 1703. Specifies whether Microsoft can collect infor
Most restricted value is 1.
+
+ADMX Info:
+- GP English name: *Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start*
+- GP name: *PreventLiveTileDataCollection*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1867,6 +2072,14 @@ Specifies whether users can override the Windows Defender SmartScreen Filter war
Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site.
+
+ADMX Info:
+- GP English name: *Prevent bypassing Windows Defender SmartScreen prompts for sites*
+- GP name: *PreventSmartScreenPromptOverride*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1918,6 +2131,14 @@ The following list shows the supported values:
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
+
+ADMX Info:
+- GP English name: *Prevent bypassing Windows Defender SmartScreen prompts for files*
+- GP name: *PreventSmartScreenPromptOverrideForFiles*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1973,6 +2194,14 @@ The following list shows the supported values:
Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an user’s localhost IP address while making phone calls using WebRTC.
+
+ADMX Info:
+- GP English name: *Prevent using Localhost IP address for WebRTC*
+- GP name: *HideLocalHostIPAddress*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -2037,6 +2266,15 @@ If you disable or don't configure this setting, employees will see the favorites
Data type is string.
+
+ADMX Info:
+- GP English name: *Provision Favorites*
+- GP name: *ConfiguredFavorites*
+- GP element: *ConfiguredFavoritesPrompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
@@ -2087,6 +2325,14 @@ Specifies whether to send intranet traffic over to Internet Explorer.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Send all intranet sites to Internet Explorer 11*
+- GP name: *SendIntranetTraffictoInternetExplorer*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -2148,6 +2394,15 @@ If this setting is not configured, the default search engine is set to the one s
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Set default search engine*
+- GP name: *SetDefaultSearchEngine*
+- GP element: *SetDefaultSearchEngine_Prompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -2205,6 +2460,14 @@ Added in Windows 10, version 1607. Specifies whether users should see a full in
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Show message when opening sites in Internet Explorer*
+- GP name: *ShowMessageWhenOpeningSitesInInternetExplorer*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -2261,6 +2524,14 @@ Added in Windows 10, version 1703. Specifies whether favorites are kept in sync
> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices.
+
+ADMX Info:
+- GP English name: *Keep favorites in sync between Internet Explorer and Microsoft Edge*
+- GP name: *SyncFavoritesBetweenIEAndMicrosoftEdge*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -2322,6 +2593,14 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+ADMX Info:
+- GP English name: *Allow a shared Books folder*
+- GP name: *UseSharedFolderForBooks*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 635f9d4118..02a242ec12 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Camera
@@ -68,6 +68,14 @@ Disables or enables the camera.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Use of Camera*
+- GP name: *L_AllowCamera*
+- GP path: *Windows Components/Camera*
+- GP ADMX file name: *Camera.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index 0a1606c00c..5b9aa0d665 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Cellular
@@ -90,6 +90,13 @@ If you disable or do not configure this policy setting, employees in your organi
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.”
+
+ADMX Info:
+- GP name: *LetAppsAccessCellularData*
+- GP element: *LetAppsAccessCellularData_Enum*
+- GP ADMX file name: *wwansvc.admx*
+
+
The following list shows the supported values:
@@ -141,6 +148,13 @@ The following list shows the supported values:
Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
+
+ADMX Info:
+- GP name: *LetAppsAccessCellularData*
+- GP element: *LetAppsAccessCellularData_ForceAllowTheseApps_List*
+- GP ADMX file name: *wwansvc.admx*
+
+
@@ -184,6 +198,13 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
+
+ADMX Info:
+- GP name: *LetAppsAccessCellularData*
+- GP element: *LetAppsAccessCellularData_ForceDenyTheseApps_List*
+- GP ADMX file name: *wwansvc.admx*
+
+
@@ -227,6 +248,13 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
+
+ADMX Info:
+- GP name: *LetAppsAccessCellularData*
+- GP element: *LetAppsAccessCellularData_UserInControlOfTheseApps_List*
+- GP ADMX file name: *wwansvc.admx*
+
+
@@ -270,13 +298,7 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX.
If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page.
-
-If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default.”
-
-Supported values:
-
-- 0 - Hide
-- 1 - Show
+If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default.
> [!TIP]
@@ -286,14 +308,14 @@ Supported values:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set Per-App Cellular Access UI Visibility*
- GP name: *ShowAppCellularAccessUI*
- GP path: *Network/WWAN Service/WWAN UI Settings*
- GP ADMX file name: *wwansvc.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index df9e662f31..249cc6cac3 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Connectivity
@@ -216,6 +216,14 @@ Allows or disallows cellular data roaming on the device. Device reboot is not re
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Prohibit connection to roaming Mobile Broadband networks*
+- GP name: *WCM_DisableRoaming*
+- GP path: *Network/Windows Connection Manager*
+- GP ADMX file name: *WCM.admx*
+
+
The following list shows the supported values:
@@ -545,6 +553,17 @@ The following list shows the supported values:
+This policy setting specifies whether to allow printing over HTTP from this client.
+
+Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.
+
+Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
+
+If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP.
+
+If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP.
+
+Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.
> [!TIP]
@@ -554,14 +573,14 @@ The following list shows the supported values:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off printing over HTTP*
- GP name: *DisableHTTPPrinting_2*
- GP path: *Internet Communication settings*
- GP ADMX file name: *ICM.admx*
-
+
@@ -602,6 +621,15 @@ ADMX Info:
+This policy setting specifies whether to allow this client to download print driver packages over HTTP.
+
+To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.
+
+Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally.
+
+If you enable this policy setting, print drivers cannot be downloaded over HTTP.
+
+If you disable or do not configure this policy setting, users can download print drivers over HTTP.
> [!TIP]
@@ -611,14 +639,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off downloading of print drivers over HTTP*
- GP name: *DisableWebPnPDownload_2*
- GP path: *Internet Communication settings*
- GP ADMX file name: *ICM.admx*
-
+
@@ -659,6 +687,15 @@ ADMX Info:
+This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards.
+
+These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry.
+
+If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed.
+
+If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards.
+
+See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry.
> [!TIP]
@@ -668,14 +705,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Internet download for Web publishing and online ordering wizards*
- GP name: *ShellPreventWPWDownload_2*
- GP path: *Internet Communication settings*
- GP ADMX file name: *ICM.admx*
-
+
@@ -721,6 +758,14 @@ Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) de
Value type is integer.
+
+ADMX Info:
+- GP English name: *Turn off Windows Network Connectivity Status Indicator active tests*
+- GP name: *NoActiveProbe*
+- GP path: *Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
@@ -773,14 +818,14 @@ If you enable this policy, Windows only allows access to the specified UNC paths
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Hardened UNC Paths*
- GP name: *Pol_HardenedPaths*
- GP path: *Network/Network Provider*
- GP ADMX file name: *networkprovider.admx*
-
+
@@ -821,6 +866,13 @@ ADMX Info:
+Determines whether a user can install and configure the Network Bridge.
+
+Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.
+
+The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder.
+
+If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer.
> [!TIP]
@@ -830,14 +882,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
- GP name: *NC_AllowNetBridge_NLA*
- GP path: *Network/Network Connections*
- GP ADMX file name: *NetworkConnections.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index 8994842055..039a57e0fb 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - CredentialProviders
@@ -87,14 +87,14 @@ To configure Windows Hello for Business, use the Administrative Template policie
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on convenience PIN sign-in*
- GP name: *AllowDomainPINLogon*
- GP path: *System/Logon*
- GP ADMX file name: *credentialproviders.admx*
-
+
@@ -137,7 +137,7 @@ ADMX Info:
This policy setting allows you to control whether a domain user can sign in using a picture password.
-If you enable this policy setting, a domain user can't set up or sign in with a picture password.
+If you enable this policy setting, a domain user can't set up or sign in with a picture password.
If you disable or don't configure this policy setting, a domain user can set up and use a picture password.
@@ -151,14 +151,14 @@ Note that the user's domain password will be cached in the system vault when usi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off picture password sign-in*
- GP name: *BlockDomainPicturePassword*
- GP path: *System/Logon*
- GP ADMX file name: *credentialproviders.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index 869f016e13..ec0f9a0c5e 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - CredentialsUI
@@ -85,14 +85,14 @@ The policy applies to all Windows components and applications that use the Windo
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not display the password reveal button*
- GP name: *DisablePasswordReveal*
- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
-
+
@@ -147,14 +147,14 @@ If you disable this policy setting, users will always be required to type a user
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enumerate administrator accounts on elevation*
- GP name: *EnumerateAdministrators*
- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 81023d5fdd..b2360eb40b 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Cryptography
@@ -69,6 +69,12 @@ ms.date: 01/30/2018
Allows or disallows the Federal Information Processing Standard (FIPS) policy.
+
+GP Info:
+- GP English name: *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 9d64360b36..2aa9b34cd0 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - DataUsage
@@ -70,9 +70,9 @@ This policy setting configures the cost of 3G connections on the local machine.
If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:
-- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
+- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
-- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
+- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
- Variable: This connection is costed on a per byte basis.
@@ -86,14 +86,14 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set 3G Cost*
- GP name: *SetCost3G*
- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
-
+
@@ -134,13 +134,13 @@ ADMX Info:
-This policy setting configures the cost of 4G connections on the local machine.
+This policy setting configures the cost of 4G connections on the local machine.
If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:
-- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
+- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
-- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
+- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
- Variable: This connection is costed on a per byte basis.
@@ -154,14 +154,14 @@ If this policy setting is disabled or is not configured, the cost of 4G connecti
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set 4G Cost*
- GP name: *SetCost4G*
- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 6dcfb31902..74091500ca 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Defender
@@ -172,6 +172,14 @@ ms.date: 01/30/2018
Allows or disallows scanning of archives.
+
+ADMX Info:
+- GP English name: *Scan archive files*
+- GP name: *Scan_DisableArchiveScanning*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -226,6 +234,14 @@ The following list shows the supported values:
Allows or disallows Windows Defender Behavior Monitoring functionality.
+
+ADMX Info:
+- GP English name: *Turn on behavior monitoring*
+- GP name: *RealtimeProtection_DisableBehaviorMonitoring*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -280,6 +296,15 @@ The following list shows the supported values:
To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.
+
+ADMX Info:
+- GP English name: *Join Microsoft MAPS*
+- GP name: *SpynetReporting*
+- GP element: *SpynetReporting*
+- GP path: *Windows Components/Windows Defender Antivirus/MAPS*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -334,6 +359,14 @@ The following list shows the supported values:
Allows or disallows scanning of email.
+
+ADMX Info:
+- GP English name: *Turn on e-mail scanning*
+- GP name: *Scan_DisableEmailScanning*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -388,6 +421,14 @@ The following list shows the supported values:
Allows or disallows a full scan of mapped network drives.
+
+ADMX Info:
+- GP English name: *Run full scan on mapped network drives*
+- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -442,6 +483,14 @@ The following list shows the supported values:
Allows or disallows a full scan of removable drives.
+
+ADMX Info:
+- GP English name: *Scan removable drives*
+- GP name: *Scan_DisableRemovableDriveScanning*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -496,6 +545,14 @@ The following list shows the supported values:
Allows or disallows Windows Defender IOAVP Protection functionality.
+
+ADMX Info:
+- GP English name: *Scan all downloaded files and attachments*
+- GP name: *RealtimeProtection_DisableIOAVProtection*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -604,6 +661,14 @@ The following list shows the supported values:
Allows or disallows Windows Defender On Access Protection functionality.
+
+ADMX Info:
+- GP English name: *Monitor file and program activity on your computer*
+- GP name: *RealtimeProtection_DisableOnAccessProtection*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -658,6 +723,14 @@ The following list shows the supported values:
Allows or disallows Windows Defender Realtime Monitoring functionality.
+
+ADMX Info:
+- GP English name: *Turn off real-time protection*
+- GP name: *DisableRealtimeMonitoring*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -712,6 +785,14 @@ The following list shows the supported values:
Allows or disallows a scanning of network files.
+
+ADMX Info:
+- GP English name: *Scan network files*
+- GP name: *Scan_DisableScanningNetworkFiles*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -820,6 +901,14 @@ The following list shows the supported values:
Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
+
+ADMX Info:
+- GP English name: *Enable headless UI mode*
+- GP name: *UX_Configuration_UILockdown*
+- GP path: *Windows Components/Windows Defender Antivirus/Client Interface*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -876,6 +965,15 @@ Added in Windows 10, version 1709. This policy setting allows you to prevent Att
Value type is string.
+
+ADMX Info:
+- GP English name: *Exclude files and paths from Attack Surface Reduction Rules*
+- GP name: *ExploitGuard_ASR_ASROnlyExclusions*
+- GP element: *ExploitGuard_ASR_ASROnlyExclusions*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -927,6 +1025,15 @@ For more information about ASR rule ID and status ID, see [Enable Attack Surface
Value type is string.
+
+ADMX Info:
+- GP English name: *Configure Attack Surface Reduction rules*
+- GP name: *ExploitGuard_ASR_Rules*
+- GP element: *ExploitGuard_ASR_Rules*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -977,6 +1084,15 @@ Represents the average CPU load factor for the Windows Defender scan (in percent
The default value is 50.
+
+ADMX Info:
+- GP English name: *Specify the maximum percentage of CPU utilization during a scan*
+- GP name: *Scan_AvgCPULoadFactor*
+- GP element: *Scan_AvgCPULoadFactor*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
Valid values: 0–100
@@ -1035,6 +1151,15 @@ For more information about specific values that are supported, see the Windows D
> This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
+
+ADMX Info:
+- GP English name: *Select cloud protection level*
+- GP name: *MpEngine_MpCloudBlockLevel*
+- GP element: *MpCloudBlockLevel*
+- GP path: *Windows Components/Windows Defender Antivirus/MpEngine*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -1097,6 +1222,15 @@ For example, if the desired timeout is 60 seconds, specify 50 seconds in this se
> This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".
+
+ADMX Info:
+- GP English name: *Configure extended cloud check*
+- GP name: *MpEngine_MpBafsExtendedTimeout*
+- GP element: *MpBafsExtendedTimeout*
+- GP path: *Windows Components/Windows Defender Antivirus/MpEngine*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -1143,6 +1277,15 @@ For example, if the desired timeout is 60 seconds, specify 50 seconds in this se
Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
+
+ADMX Info:
+- GP English name: *Configure allowed applications*
+- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
+- GP element: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -1189,6 +1332,15 @@ Added in Windows 10, version 1709. This policy setting allows user-specified app
Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
+
+ADMX Info:
+- GP English name: *Configure protected folders*
+- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
+- GP element: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -1239,6 +1391,15 @@ Time period (in days) that quarantine items will be stored on the system.
The default value is 0, which keeps items in quarantine, and does not automatically remove them.
+
+ADMX Info:
+- GP English name: *Configure removal of items from Quarantine folder*
+- GP name: *Quarantine_PurgeItemsAfterDelay*
+- GP element: *Quarantine_PurgeItemsAfterDelay*
+- GP path: *Windows Components/Windows Defender Antivirus/Quarantine*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
Valid values: 0–90
@@ -1289,6 +1450,15 @@ Valid values: 0–90
Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
+
+ADMX Info:
+- GP English name: *Configure Controlled folder access*
+- GP name: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess*
+- GP element: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -1349,6 +1519,15 @@ If you disable this policy, users/apps will not be blocked from connecting to da
If you do not configure this policy, network blocking will be disabled by default.
+
+ADMX Info:
+- GP English name: *Prevent users and apps from accessing dangerous websites*
+- GP name: *ExploitGuard_EnableNetworkProtection*
+- GP element: *ExploitGuard_EnableNetworkProtection*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Network Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -1404,6 +1583,15 @@ The following list shows the supported values:
Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj".
+
+ADMX Info:
+- GP English name: *Path Exclusions*
+- GP name: *Exclusions_Paths*
+- GP element: *Exclusions_PathsList*
+- GP path: *Windows Components/Windows Defender Antivirus/Exclusions*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -1451,6 +1639,15 @@ Allows an administrator to specify a list of file type extensions to ignore duri
Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1".
+
+ADMX Info:
+- GP English name: *Extension Exclusions*
+- GP name: *Exclusions_Extensions*
+- GP element: *Exclusions_ExtensionsList*
+- GP path: *Windows Components/Windows Defender Antivirus/Exclusions*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -1504,6 +1701,15 @@ Allows an administrator to specify a list of files opened by processes to ignore
Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
+
+ADMX Info:
+- GP English name: *Process Exclusions*
+- GP name: *Exclusions_Processes*
+- GP element: *Exclusions_ProcessesList*
+- GP path: *Windows Components/Windows Defender Antivirus/Exclusions*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
@@ -1609,6 +1815,15 @@ Controls which sets of files should be monitored.
> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files.
+
+ADMX Info:
+- GP English name: *Configure monitoring for incoming and outgoing file and program activity*
+- GP name: *RealtimeProtection_RealtimeScanDirection*
+- GP element: *RealtimeProtection_RealtimeScanDirection*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -1664,6 +1879,15 @@ The following list shows the supported values:
Selects whether to perform a quick scan or full scan.
+
+ADMX Info:
+- GP English name: *Specify the scan type to use for a scheduled scan*
+- GP name: *Scan_ScanParameters*
+- GP element: *Scan_ScanParameters*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -1727,6 +1951,15 @@ For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, an
The default value is 120
+
+ADMX Info:
+- GP English name: *Specify the time for a daily quick scan*
+- GP name: *Scan_ScheduleQuickScantime*
+- GP element: *Scan_ScheduleQuickScantime*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
Valid values: 0–1380
@@ -1781,6 +2014,15 @@ Selects the day that the Windows Defender scan should run.
> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
+
+ADMX Info:
+- GP English name: *Specify the day of the week to run a scheduled scan*
+- GP name: *Scan_ScheduleDay*
+- GP element: *Scan_ScheduleDay*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -1851,6 +2093,15 @@ For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, an
The default value is 120.
+
+ADMX Info:
+- GP English name: *Specify the time of day to run a scheduled scan*
+- GP name: *Scan_ScheduleTime*
+- GP element: *Scan_ScheduleTime*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
Valid values: 0–1380.
@@ -1907,6 +2158,15 @@ A value of 0 means no check for new signatures, a value of 1 means to check ever
The default value is 8.
+
+ADMX Info:
+- GP English name: *Specify the interval to check for definition updates*
+- GP name: *SignatureUpdate_SignatureUpdateInterval*
+- GP element: *SignatureUpdate_SignatureUpdateInterval*
+- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
Valid values: 0–24.
@@ -1958,6 +2218,15 @@ Valid values: 0–24.
Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data.
+
+ADMX Info:
+- GP English name: *Send file samples when further analysis is required*
+- GP name: *SubmitSamplesConsent*
+- GP element: *SubmitSamplesConsent*
+- GP path: *Windows Components/Windows Defender Antivirus/MAPS*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -2032,6 +2301,15 @@ The following list shows the supported values for possible actions:
- 10 – Block
+
+ADMX Info:
+- GP English name: *Specify threat alert levels at which default action should not be taken when detected*
+- GP name: *Threats_ThreatSeverityDefaultAction*
+- GP element: *Threats_ThreatSeverityDefaultActionList*
+- GP path: *Windows Components/Windows Defender Antivirus/Threats*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 94134afb5a..2dda85153c 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - DeliveryOptimization
@@ -143,6 +143,15 @@ Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery
The default value is 10.
+
+ADMX Info:
+- GP English name: *Absolute Max Cache Size (in GB)*
+- GP name: *AbsoluteMaxCacheSize*
+- GP element: *AbsoluteMaxCacheSize*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -190,6 +199,15 @@ The default value is 10.
Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+
+ADMX Info:
+- GP English name: *Enable Peer Caching while the device connects via VPN*
+- GP name: *AllowVPNPeerCaching*
+- GP element: *AllowVPNPeerCaching*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values:
@@ -242,6 +260,15 @@ Added in Windows 10, version 1803. This policy allows you to delay the use of an
After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from peers. Note that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 hour (3600).
+
+ADMX Info:
+- GP English name: *Delay background download from http (in secs)*
+- GP name: *DelayBackgroundDownloadFromHttp*
+- GP element: *DelayBackgroundDownloadFromHttp*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -291,6 +318,15 @@ Note that a download that is waiting for peer sources, will appear to be stuck f
The recommended value is 1 minute (60).
+
+ADMX Info:
+- GP English name: *Delay Foreground download from http (in secs)*
+- GP name: *DelayForegroundDownloadFromHttp*
+- GP element: *DelayForegroundDownloadFromHttp*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values as number of seconds:
@@ -346,6 +382,15 @@ The following list shows the supported values as number of seconds:
Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
+
+ADMX Info:
+- GP English name: *Download Mode*
+- GP name: *DownloadMode*
+- GP element: *DownloadMode*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values:
@@ -407,6 +452,15 @@ This Policy specifies an arbitrary group ID that the device belongs to. Use this
> You must use a GUID as the group ID.
+
+ADMX Info:
+- GP English name: *Group ID*
+- GP name: *GroupId*
+- GP element: *GroupId*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -458,6 +512,15 @@ The options set in this policy only apply to Group (2) download mode. If Group (
For option 4 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
+
+ADMX Info:
+- GP English name: *Select the source of Group IDs*
+- GP name: *GroupIdSource*
+- GP element: *GroupIdSource*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values:
@@ -516,6 +579,15 @@ Specifies the maximum time in seconds that each file is held in the Delivery Opt
The default value is 259200 seconds (3 days).
+
+ADMX Info:
+- GP English name: *Max Cache Age (in seconds)*
+- GP name: *MaxCacheAge*
+- GP element: *MaxCacheAge*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -565,6 +637,15 @@ Specifies the maximum cache size that Delivery Optimization can utilize, as a pe
The default value is 20.
+
+ADMX Info:
+- GP English name: *Max Cache Size (percentage)*
+- GP name: *MaxCacheSize*
+- GP element: *MaxCacheSize*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -614,6 +695,15 @@ Added in Windows 10, version 1607. Specifies the maximum download bandwidth in
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
+ADMX Info:
+- GP English name: *Maximum Download Bandwidth (in KB/s)*
+- GP name: *MaxDownloadBandwidth*
+- GP element: *MaxDownloadBandwidth*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -663,6 +753,15 @@ Specifies the maximum upload bandwidth in KiloBytes/second that a device will us
The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).
+
+ADMX Info:
+- GP English name: *Max Upload Bandwidth (in KB/s)*
+- GP name: *MaxUploadBandwidth*
+- GP element: *MaxUploadBandwidth*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -712,6 +811,15 @@ Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality
The default value is 500.
+
+ADMX Info:
+- GP English name: *Minimum Background QoS (in KB/s)*
+- GP name: *MinBackgroundQos*
+- GP element: *MinBackgroundQos*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -760,6 +868,15 @@ Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in pe
The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
+
+ADMX Info:
+- GP English name: *Allow uploads while the device is on battery while under set Battery level (percentage)*
+- GP name: *MinBatteryPercentageAllowedToUpload*
+- GP element: *MinBatteryPercentageAllowedToUpload*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -812,6 +929,15 @@ Added in Windows 10, version 1703. Specifies the required minimum disk size (cap
The default value is 32 GB.
+
+ADMX Info:
+- GP English name: *Minimum disk size allowed to use Peer Caching (in GB)*
+- GP name: *MinDiskSizeAllowedToPeer*
+- GP element: *MinDiskSizeAllowedToPeer*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -861,6 +987,15 @@ Added in Windows 10, version 1703. Specifies the minimum content file size in MB
The default value is 100 MB.
+
+ADMX Info:
+- GP English name: *Minimum Peer Caching Content File Size (in MB)*
+- GP name: *MinFileSizeToCache*
+- GP element: *MinFileSizeToCache*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -910,6 +1045,15 @@ Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required
The default value is 4 GB.
+
+ADMX Info:
+- GP English name: *Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)*
+- GP name: *MinRAMAllowedToPeer*
+- GP element: *MinRAMAllowedToPeer*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -959,6 +1103,15 @@ Added in Windows 10, version 1607. Specifies the drive that Delivery Optimizati
By default, %SystemDrive% is used to store the cache.
+
+ADMX Info:
+- GP English name: *Modify Cache Drive*
+- GP name: *ModifyCacheDrive*
+- GP element: *ModifyCacheDrive*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -1010,6 +1163,15 @@ The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is
The default value is 20.
+
+ADMX Info:
+- GP English name: *Monthly Upload Data Cap (in GB)*
+- GP name: *MonthlyUploadDataCap*
+- GP element: *MonthlyUploadDataCap*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -1157,6 +1319,15 @@ Options available are: 1=Subnet mask (more options will be added in a future rel
Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2).
+
+ADMX Info:
+- GP English name: *Select a method to restrict Peer Selection*
+- GP name: *RestrictPeerSelectionBy*
+- GP element: *RestrictPeerSelectionBy*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values:
@@ -1203,19 +1374,32 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-
-Note that downloads from LAN peers will not be throttled even when this policy is set.
+Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
This policy allows an IT Admin to define the following:
- Business hours range (for example 06:00 to 18:00)
-- % of throttle for foreground traffic during business hours
-- % of throttle for foreground traffic outside of business hours
+- % of throttle for background traffic during business hours
+- % of throttle for background traffic outside of business hours
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set Business Hours to Limit Background Download Bandwidth*
+- GP name: *SetHoursToLimitBackgroundDownloadBandwidth*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
@@ -1256,9 +1440,7 @@ This policy allows an IT Admin to define the following:
-Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-
-Note that downloads from LAN peers will not be throttled even when this policy is set.
+Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
@@ -1269,6 +1451,21 @@ This policy allows an IT Admin to define the following:
- % of throttle for foreground traffic outside of business hours
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set Business Hours to Limit Foreground Download Bandwidth*
+- GP name: *SetHoursToLimitForegroundDownloadBandwidth*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 56fcae51f5..2957bd78f7 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Desktop
@@ -77,14 +77,14 @@ If you enable this setting, users are unable to type a new location in the Targe
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prohibit User from manually redirecting Profile Folders*
- GP name: *DisablePersonalDirChange*
- GP path: *Desktop*
- GP ADMX file name: *desktop.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index bde8f4dc65..a516cc7ab4 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - DeviceGuard
@@ -72,6 +72,14 @@ ms.date: 01/30/2018
Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
+
+ADMX Info:
+- GP English name: *Turn On Virtualization Based Security*
+- GP name: *VirtualizationBasedSecurity*
+- GP path: *System/Device Guard*
+- GP ADMX file name: *DeviceGuard.admx*
+
+
The following list shows the supported values:
@@ -122,6 +130,15 @@ The following list shows the supported values:
Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.
+
+ADMX Info:
+- GP English name: *Turn On Virtualization Based Security*
+- GP name: *VirtualizationBasedSecurity*
+- GP element: *CredentialIsolationDrop*
+- GP path: *System/Device Guard*
+- GP ADMX file name: *DeviceGuard.admx*
+
+
The following list shows the supported values:
@@ -173,6 +190,15 @@ The following list shows the supported values:
Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer.
+
+ADMX Info:
+- GP English name: *Turn On Virtualization Based Security*
+- GP name: *VirtualizationBasedSecurity*
+- GP element: *RequirePlatformSecurityFeaturesDrop*
+- GP path: *System/Device Guard*
+- GP ADMX file name: *DeviceGuard.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 5813ea9ecb..c8b4f6b9d9 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - DeviceInstallation
@@ -80,14 +80,14 @@ If you disable or do not configure this policy setting, devices can be installed
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent installation of devices that match any of these device IDs*
- GP name: *DeviceInstall_IDs_Deny*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
-
+
@@ -142,14 +142,14 @@ If you disable or do not configure this policy setting, Windows can install and
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent installation of devices using drivers that match these device setup classes*
- GP name: *DeviceInstall_Classes_Deny*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 2555067447..e418951b10 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - DeviceLock
@@ -1020,6 +1020,12 @@ The minimum password age must be less than the Maximum password age, unless the
Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.
+
+GP Info:
+- GP English name: *Minimum password age*
+- GP path: *Windows Settings/Security Settings/Account Policies/Password Policy*
+
+
@@ -1074,14 +1080,14 @@ If you enable this setting, users will no longer be able to modify slide show se
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent enabling lock screen slide show*
- GP name: *CPL_Personalization_NoLockScreenSlideshow*
- GP path: *Control Panel/Personalization*
- GP ADMX file name: *ControlPanelDisplay.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 481bc438d3..827b347c3e 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -6,15 +6,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 02/05/2018
+ms.date: 03/05/2018
---
# Policy CSP - Display
-
-> [!WARNING]
+> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
@@ -80,15 +80,15 @@ ms.date: 02/05/2018
This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
-
+
+ADMX Info:
+- GP English name: *Configure Per-Process System DPI settings*
+- GP name: *DisplayPerProcessSystemDpiSettings*
+- GP element: *DisplayDisablePerProcessSystemDpiSettings*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
-
-
-
-
-
-
-
+
@@ -145,20 +145,22 @@ In some cases, you may see some unexpected behavior in some desktop applications
Enabling this setting lets you specify the system-wide default for desktop applications as well as per-application overrides. If you disable or do not configure this setting, Per Process System DPI will not apply to any processes on the system.
+
+ADMX Info:
+- GP English name: *Configure Per-Process System DPI settings*
+- GP name: *DisplayPerProcessSystemDpiSettings*
+- GP element: *DisplayGlobalPerProcessSystemDpiSettings*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
+
+
The following list shows the supported values:
- 0 - Disable.
- 1 - Enable.
-
-
-
-
-
-
-
@@ -202,15 +204,15 @@ The following list shows the supported values:
This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
-
+
+ADMX Info:
+- GP English name: *Configure Per-Process System DPI settings*
+- GP name: *DisplayPerProcessSystemDpiSettings*
+- GP element: *DisplayEnablePerProcessSystemDpiSettings*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
-
-
-
-
-
-
-
+
@@ -262,6 +264,15 @@ If you disable or do not configure this policy setting, GDI DPI Scaling might st
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+
+ADMX Info:
+- GP English name: *Turn off GdiDPIScaling for applications*
+- GP name: *DisplayTurnOffGdiDPIScaling*
+- GP element: *DisplayTurnOffGdiDPIScalingPrompt*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
+
+
To validate on Desktop, do the following:
@@ -320,6 +331,15 @@ If you disable or do not configure this policy setting, GDI DPI Scaling will not
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+
+ADMX Info:
+- GP English name: *Turn on GdiDPIScaling for applications*
+- GP name: *DisplayTurnOnGdiDPIScaling*
+- GP element: *DisplayTurnOnGdiDPIScalingPrompt*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
+
+
To validate on Desktop, do the following:
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index 3583549ed4..8eab86d6e3 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Education
@@ -117,6 +117,14 @@ The policy value is expected to be the name (network host name) of an installed
Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings.
+
+ADMX Info:
+- GP English name: *Prevent addition of printers*
+- GP name: *NoAddPrinter*
+- GP path: *Control Panel/Printers*
+- GP ADMX file name: *Printing.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index e33bbb0431..ed18d1d8d9 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - ErrorReporting
@@ -99,14 +99,14 @@ If you disable or do not configure this policy setting, then the default consent
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Customize consent settings*
- GP name: *WerConsentCustomize_2*
- GP path: *Windows Components/Windows Error Reporting/Consent*
- GP ADMX file name: *ErrorReporting.admx*
-
+
@@ -161,14 +161,14 @@ If you disable or do not configure this policy setting, the Turn off Windows Err
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable Windows Error Reporting*
- GP name: *WerDisable_2*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
+
@@ -227,14 +227,14 @@ See also the Configure Error Reporting policy setting.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Display Error Notification*
- GP name: *PCH_ShowUI*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
+
@@ -289,14 +289,14 @@ If you disable or do not configure this policy setting, then consent policy sett
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not send additional data*
- GP name: *WerNoSecondLevelData_2*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
+
@@ -351,14 +351,14 @@ If you disable or do not configure this policy setting, Windows Error Reporting
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent display of the user interface for critical errors*
- GP name: *WerDoNotShowUI*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index 10a8c1e6f4..e0d3529cc9 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - EventLogService
@@ -78,7 +78,7 @@ If you enable this policy setting and a log file reaches its maximum size, new e
If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
-Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
+Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
> [!TIP]
@@ -88,14 +88,14 @@ Note: Old events may or may not be retained according to the "Backup log automat
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Control Event Log behavior when the log file reaches its maximum size*
- GP name: *Channel_Log_Retention_1*
- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
-
+
@@ -150,14 +150,14 @@ If you disable or do not configure this policy setting, the maximum size of the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_1*
- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
-
+
@@ -212,14 +212,14 @@ If you disable or do not configure this policy setting, the maximum size of the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_2*
- GP path: *Windows Components/Event Log Service/Security*
- GP ADMX file name: *eventlog.admx*
-
+
@@ -274,14 +274,14 @@ If you disable or do not configure this policy setting, the maximum size of the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_4*
- GP path: *Windows Components/Event Log Service/System*
- GP ADMX file name: *eventlog.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index 8d5e6e3703..b741cd983e 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 02/26/2018
+ms.date: 03/05/2018
---
# Policy CSP - Experience
@@ -188,6 +188,14 @@ Specifies whether Cortana is allowed on the device. If you enable or don’t con
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Cortana*
+- GP name: *AllowCortana*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -296,6 +304,14 @@ When Find My Device is on, the device and its location are registered in the clo
When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. In Windows 10, version 1709 the user will not be able to view the location of the last use of their active digitizer on their device.
+
+ADMX Info:
+- GP English name: *Turn On/Off Find My Device*
+- GP name: *FindMy_AllowFindMyDeviceConfig*
+- GP path: *Windows Components/Find My Device*
+- GP ADMX file name: *FindMy.admx*
+
+
The following list shows the supported values:
@@ -593,6 +609,14 @@ Diagnostic data can include browser, app and feature usage, depending on the "Di
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Do not use diagnostic data for tailored experiences*
+- GP name: *DisableTailoredExperiencesWithDiagnosticData*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -701,6 +725,14 @@ The following list shows the supported values:
Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
+
+ADMX Info:
+- GP English name: *Do not suggest third-party content in Windows spotlight*
+- GP name: *DisableThirdPartySuggestions*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -813,6 +845,14 @@ This policy allows IT admins to turn on experiences that are typically for consu
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Turn off Microsoft consumer experiences*
+- GP name: *DisableWindowsConsumerFeatures*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -869,6 +909,14 @@ Specifies whether to turn off all Windows spotlight features at once. If you ena
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Turn off all Windows spotlight features*
+- GP name: *DisableWindowsSpotlightFeatures*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -924,6 +972,14 @@ Added in Windows 10, version 1703. This policy allows administrators to prevent
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Turn off Windows Spotlight on Action Center*
+- GP name: *DisableWindowsSpotlightOnActionCenter*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -975,23 +1031,24 @@ Added in Windows 10, version 1083. This policy allows IT admins to turn off Sugg
- User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app.
- User Setting is changeable on a per user basis.
-- If the Group policy is set to off, no suggestions will be shown to the user in Settings app.
+- If the Group policy is set to off, no suggestions will be shown to the user in Settings app.
+
+ADMX Info:
+- GP English name: *Turn off Windows Spotlight on Settings*
+- GP name: *DisableWindowsSpotlightOnSettings*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
- 0 - Not allowed.
- 1 - Allowed.
-
-
-
-
-
-
-
@@ -1041,6 +1098,14 @@ The Windows welcome experience feature introduces onboard users to Windows; for
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Turn off the Windows Welcome Experience*
+- GP name: *DisableWindowsSpotlightWindowsWelcomeExperience*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -1091,6 +1156,14 @@ The following list shows the supported values:
Enables or disables Windows Tips / soft landing.
+
+ADMX Info:
+- GP English name: *Do not show Windows tips*
+- GP name: *DisableSoftLanding*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -1145,6 +1218,14 @@ The following list shows the supported values:
Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
+
+ADMX Info:
+- GP English name: *Configure Windows spotlight on lock screen*
+- GP name: *ConfigureWindowsSpotlight*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -1200,6 +1281,14 @@ If you enable this policy setting, users will no longer see feedback notificatio
If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
+
+ADMX Info:
+- GP English name: *Do not show feedback notifications*
+- GP name: *DoNotShowFeedbackNotifications*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *FeedbackNotifications.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index f52eb4c227..ca51c9a7a7 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - ExploitGuard
@@ -68,6 +68,15 @@ Enables the IT admin to push out a configuration representing the desired system
The system settings require a reboot; the application settings do not require a reboot.
+
+ADMX Info:
+- GP English name: *Use a common set of exploit protection settings*
+- GP name: *ExploitProtection_Name*
+- GP element: *ExploitProtection_Name*
+- GP path: *Windows Components/Windows Defender Exploit Guard/Exploit Protection*
+- GP ADMX file name: *ExploitGuard.admx*
+
+
Here is an example:
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index c03012e8f2..438387b1b6 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Handwriting
@@ -72,6 +72,14 @@ In floating mode, the content is hidden behind a flying-in panel and results in
The docked mode is especially useful in Kiosk mode where you do not expect the end-user to drag the flying-in panel out of the way.
+
+ADMX Info:
+- GP English name: *Handwriting Panel Default Mode Docked*
+- GP name: *PanelDefaultModeDocked*
+- GP path: *Windows Components/Handwriting*
+- GP ADMX file name: *Handwriting.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 4e2042350f..23a0b5a050 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - InternetExplorer
@@ -804,14 +804,14 @@ If you disable or do not configure this policy setting, the user can configure t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Add a specific list of search providers to the user's list of search providers*
- GP name: *AddSearchProvider*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -867,14 +867,14 @@ If you disable or do not configure this policy setting, ActiveX Filtering is not
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on ActiveX Filtering*
- GP name: *TurnOnActiveXFiltering*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -922,7 +922,7 @@ This list can be used with the 'Deny all add-ons unless specifically allowed in
If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:
-Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
+Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.
@@ -936,14 +936,14 @@ If you disable this policy setting, the list is deleted. The 'Deny all add-ons u
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Add-on List*
- GP name: *AddonManagement_AddOnList*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
+
@@ -984,6 +984,13 @@ ADMX Info:
+This AutoComplete feature can remember and suggest User names and passwords on Forms.
+
+If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords".
+
+If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords.
+
+If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button.
> [!TIP]
@@ -993,14 +1000,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on the auto-complete feature for user names and passwords on forms*
- GP name: *RestrictFormSuggestPW*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1042,6 +1049,11 @@ ADMX Info:
+This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks.
+
+If you enable this policy setting, the certificate address mismatch warning always appears.
+
+If you disable or do not configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel).
> [!TIP]
@@ -1051,14 +1063,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on certificate address mismatch warning*
- GP name: *IZ_PolicyWarnCertMismatch*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1100,6 +1112,15 @@ ADMX Info:
+This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files, cookies, history, form data, and passwords) are applied, and those items are deleted.
+
+If you enable this policy setting, deleting browsing history on exit is turned on.
+
+If you disable this policy setting, deleting browsing history on exit is turned off.
+
+If you do not configure this policy setting, it can be configured on the General tab in Internet Options.
+
+If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect.
> [!TIP]
@@ -1109,14 +1130,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow deleting browsing history on exit*
- GP name: *DBHDisableDeleteOnExit*
- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1174,14 +1195,14 @@ If you do not configure this policy, users will be able to turn on or turn off E
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Enhanced Protected Mode*
- GP name: *Advanced_EnableEnhancedProtectedMode*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1237,14 +1258,14 @@ If you disable or don't configure this policy setting, the menu option won't app
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Let users turn on and use Enterprise Mode from the Tools menu*
- GP name: *EnterpriseModeEnable*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1300,14 +1321,14 @@ If you disable or don't configure this policy setting, Internet Explorer opens a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use the Enterprise Mode IE website list*
- GP name: *EnterpriseModeSiteList*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1348,6 +1369,13 @@ ADMX Info:
+This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.
+
+We recommend that you do not allow insecure fallback in order to prevent a man-in-the-middle attack.
+
+This policy does not affect which security protocols are enabled.
+
+If you disable this policy, system defaults will be used.
> [!TIP]
@@ -1357,14 +1385,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow fallback to SSL 3.0 (Internet Explorer)*
- GP name: *Advanced_EnableSSL3Fallback*
- GP path: *Windows Components/Internet Explorer/Security Features*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1420,14 +1448,14 @@ If you disable or do not configure this policy setting, the user can add and rem
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use Policy List of Internet Explorer 7 sites*
- GP name: *CompatView_UsePolicyList*
- GP path: *Windows Components/Internet Explorer/Compatibility View*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1485,14 +1513,14 @@ If you do not configure this policy setting, Internet Explorer uses an Internet
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Internet Explorer Standards Mode for local intranet*
- GP name: *CompatView_IntranetSites*
- GP path: *Windows Components/Internet Explorer/Compatibility View*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1554,14 +1582,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Zone Template*
- GP name: *IZ_PolicyInternetZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1623,14 +1651,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Intranet Zone Template*
- GP name: *IZ_PolicyIntranetZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1692,14 +1720,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Local Machine Zone Template*
- GP name: *IZ_PolicyLocalMachineZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1761,14 +1789,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Internet Zone Template*
- GP name: *IZ_PolicyInternetZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1830,14 +1858,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Intranet Zone Template*
- GP name: *IZ_PolicyIntranetZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1899,14 +1927,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Local Machine Zone Template*
- GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -1968,14 +1996,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Restricted Sites Zone Template*
- GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2031,14 +2059,14 @@ If you disable or do not configure this policy setting, Internet Explorer does n
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Go to an intranet site for a one-word entry in the Address bar*
- GP name: *UseIntranetSiteForOneWordEntry*
- GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2084,9 +2112,9 @@ This policy setting allows you to manage a list of sites that you want to associ
Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
-If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
+If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
-Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
+Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter http://www.contoso.com as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
@@ -2100,14 +2128,14 @@ If you disable or do not configure this policy, users may choose their own site-
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Site to Zone Assignment List*
- GP name: *IZ_Zonemaps*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2149,6 +2177,13 @@ ADMX Info:
+This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file.
+
+If you enable this policy setting, users will be prompted to install or run files with an invalid signature.
+
+If you disable this policy setting, users cannot run or install files with an invalid signature.
+
+If you do not configure this policy, users can choose to run or install files with an invalid signature.
> [!TIP]
@@ -2158,14 +2193,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow software to run or install even if the signature is invalid*
- GP name: *Advanced_InvalidSignatureBlock*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2207,9 +2242,9 @@ ADMX Info:
-This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.
+This policy setting controls the Suggested Sites feature, which recommends websites based on the user’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft to suggest sites that the user might want to visit.
-If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.
+If you enable this policy setting, the user is not prompted to enable Suggested Sites. The user’s browsing history is sent to Microsoft to produce suggestions.
If you disable this policy setting, the entry points and functionality associated with this feature are turned off.
@@ -2223,14 +2258,14 @@ If you do not configure this policy setting, the user can turn on and turn off t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Suggested Sites*
- GP name: *EnableSuggestedSites*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2292,14 +2327,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Trusted Sites Zone Template*
- GP name: *IZ_PolicyTrustedSitesZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2361,14 +2396,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Trusted Sites Zone Template*
- GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2430,14 +2465,14 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Restricted Sites Zone Template*
- GP name: *IZ_PolicyRestrictedSitesZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2479,6 +2514,13 @@ ADMX Info:
+This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.
+
+If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked.
+
+If you disable this policy setting, Internet Explorer will not check server certificates to see if they have been revoked.
+
+If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked.
> [!TIP]
@@ -2488,14 +2530,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Check for server certificate revocation*
- GP name: *Advanced_CertificateRevocation*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2537,6 +2579,13 @@ ADMX Info:
+This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs.
+
+If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers.
+
+If you disable this policy setting, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers.
+
+If you do not configure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers.
> [!TIP]
@@ -2546,14 +2595,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Check for signatures on downloaded programs*
- GP name: *Advanced_DownloadSignatures*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2595,6 +2644,15 @@ ADMX Info:
+Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server.
+
+This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension.
+
+If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files.
+
+If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files.
+
+If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files.
> [!TIP]
@@ -2604,14 +2662,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
-- GP name: *IESF_PolicyExplorerProcesses_2*
-- GP path: *Windows Components/Internet Explorer/Security Features/Binary Behavior Security Restriction*
+- GP name: *IESF_PolicyExplorerProcesses_5*
+- GP path: *Windows Components/Internet Explorer/Security Features/Consistent Mime Handling*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2669,14 +2727,14 @@ Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects*
- GP name: *DisableFlashInIE*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2732,14 +2790,14 @@ If you disable or do not configure this policy setting, the user can bypass Smar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent bypassing SmartScreen Filter warnings*
- GP name: *DisableSafetyFilterOverride*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2795,14 +2853,14 @@ If you disable or do not configure this policy setting, the user can bypass Smar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet*
- GP name: *DisableSafetyFilterOverrideForAppRepUnknown*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2844,6 +2902,11 @@ ADMX Info:
+This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, from the Menu bar, on the Tools menu, click Internet Options, click the General tab, and then click Settings under Browsing history.
+
+If you enable this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete browsing history.
+
+If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history.
> [!TIP]
@@ -2853,14 +2916,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable "Configuring History"*
- GP name: *RestrictHistory*
- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2902,6 +2965,11 @@ ADMX Info:
+This policy setting allows you to manage the crash detection feature of add-on Management.
+
+If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.
+
+If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional.
> [!TIP]
@@ -2911,14 +2979,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Crash Detection*
- GP name: *AddonManagement_RestrictCrashDetection*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -2976,14 +3044,14 @@ If you do not configure this policy setting, the user can choose to participate
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent participation in the Customer Experience Improvement Program*
- GP name: *SQM_DisableCEIP*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3025,6 +3093,15 @@ ADMX Info:
+This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in the Delete Browsing History dialog box.
+
+If you enable this policy setting, websites that the user has visited are preserved when he or she clicks Delete.
+
+If you disable this policy setting, websites that the user has visited are deleted when he or she clicks Delete.
+
+If you do not configure this policy setting, the user can choose whether to delete or preserve visited websites when he or she clicks Delete.
+
+If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
> [!TIP]
@@ -3034,14 +3111,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent deleting websites that the user has visited*
- GP name: *DBHDisableDeleteHistory*
- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3097,14 +3174,14 @@ If you disable or do not configure this policy setting, the user can set the Fee
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent downloading of enclosures*
- GP name: *Disable_Downloading_of_Enclosures*
- GP path: *Windows Components/RSS Feeds*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3146,7 +3223,7 @@ ADMX Info:
-This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.
+This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match.
If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.
@@ -3162,14 +3239,14 @@ Note: SSL 2.0 is off by default and is no longer supported starting with Windows
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off encryption support*
- GP name: *Advanced_SetWinInetProtocols*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3214,8 +3291,8 @@ ADMX Info:
This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
If you enable this policy setting, you must make one of the following choices:
-Skip the First Run wizard, and go directly to the user's home page.
-Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.
+- Skip the First Run wizard, and go directly to the user's home page.
+- Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.
Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.
@@ -3229,14 +3306,14 @@ If you disable or do not configure this policy setting, Internet Explorer may ru
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent running First Run wizard*
- GP name: *NoFirstRunCustomise*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3296,14 +3373,14 @@ If you don't configure this setting, users can turn this behavior on or off, usi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the flip ahead with page prediction feature*
- GP name: *Advanced_DisableFlipAhead*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3358,14 +3435,14 @@ If you disable or do not configure this policy setting, the Home page box is ena
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable changing home page settings*
- GP name: *RestrictHomePage*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3407,6 +3484,11 @@ ADMX Info:
+This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.
+
+If you enable this policy setting, the user cannot continue browsing.
+
+If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing.
> [!TIP]
@@ -3416,14 +3498,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent ignoring certificate errors*
- GP name: *NoCertError*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3465,6 +3547,15 @@ ADMX Info:
+This policy setting allows you to turn off the InPrivate Browsing feature.
+
+InPrivate Browsing prevents Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other data.
+
+If you enable this policy setting, InPrivate Browsing is turned off.
+
+If you disable this policy setting, InPrivate Browsing is available for use.
+
+If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry.
> [!TIP]
@@ -3474,14 +3565,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off InPrivate Browsing*
- GP name: *DisableInPrivateBrowsing*
- GP path: *Windows Components/Internet Explorer/Privacy*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3523,6 +3614,15 @@ ADMX Info:
+This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
+
+Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used.
+
+If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
+
+If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
+
+If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.
> [!TIP]
@@ -3532,14 +3632,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows*
- GP name: *Advanced_EnableEnhancedProtectedMode64Bit*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3595,14 +3695,14 @@ If you disable or do not configure this policy setting, the user can configure p
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent changing proxy settings*
- GP name: *RestrictProxy*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3658,14 +3758,14 @@ If you disable or do not configure this policy setting, the user can change the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent changing the default search provider*
- GP name: *NoSearchProvider*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3713,7 +3813,7 @@ If you enable this policy setting, you can specify which default home pages shou
If you disable or do not configure this policy setting, the user can add secondary home pages.
-Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
+Note: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages.
> [!TIP]
@@ -3723,14 +3823,14 @@ Note: If the Disable Changing Home Page Settings policy is enabled, the user can
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable changing secondary home page settings*
- GP name: *SecondaryHomePages*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3772,6 +3872,11 @@ ADMX Info:
+This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.
+
+If you enable this policy setting, the feature is turned off.
+
+If you disable or do not configure this policy setting, the feature is turned on.
> [!TIP]
@@ -3781,14 +3886,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the Security Settings Check feature*
- GP name: *Disable_Security_Settings_Check*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3845,14 +3950,14 @@ This policy is intended to help the administrator maintain version control for I
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable Periodic Check for Internet Explorer software updates*
- GP name: *NoUpdateCheck*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3894,6 +3999,15 @@ ADMX Info:
+This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode.
+
+Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
+
+When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.
+
+If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced Protected Mode.
+
+If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior.
> [!TIP]
@@ -3903,14 +4017,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled*
- GP name: *Advanced_DisableEPMCompat*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -3971,14 +4085,14 @@ Also, see the "Security zones: Use only machine settings" policy.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Security Zones: Do not allow users to add/delete sites*
- GP name: *Security_zones_map_edit*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4039,14 +4153,14 @@ Also, see the "Security zones: Use only machine settings" policy.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Security Zones: Do not allow users to change policies*
- GP name: *Security_options_edit*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4104,14 +4218,14 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
- GP name: *VerMgmtDisable*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4173,14 +4287,14 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains*
- GP name: *VerMgmtDomainAllowlist*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4238,14 +4352,14 @@ If you do not configure this policy setting, users choose whether to force local
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Intranet Sites: Include all local (intranet) sites not listed in other zones*
- GP name: *IZ_IncludeUnspecifiedLocalSites*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4303,14 +4417,14 @@ If you do not configure this policy setting, users choose whether network paths
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Intranet Sites: Include all network paths (UNCs)*
- GP name: *IZ_UNCAsIntranet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4368,14 +4482,14 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4433,14 +4547,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4496,14 +4610,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4545,6 +4659,15 @@ ADMX Info:
+This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
+
+If you enable this policy setting, a script can perform a clipboard operation.
+
+If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.
+
+If you disable this policy setting, a script cannot perform a clipboard operation.
+
+If you do not configure this policy setting, a script can perform a clipboard operation.
> [!TIP]
@@ -4554,14 +4677,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow cut, copy or paste operations from the clipboard via script*
- GP name: *IZ_PolicyAllowPasteViaScript_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4603,6 +4726,13 @@ ADMX Info:
+This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.
+
+If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.
+
+If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.
+
+If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically.
> [!TIP]
@@ -4612,14 +4742,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow drag and drop or copy and paste files*
- GP name: *IZ_PolicyDropOrPasteFiles_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4677,14 +4807,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4742,14 +4872,14 @@ If you do not configure this policy setting, Web sites from less privileged zone
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4791,6 +4921,13 @@ ADMX Info:
+This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.
+
+If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files.
+
+If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.
+
+If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.
> [!TIP]
@@ -4800,14 +4937,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow loading of XAML files*
- GP name: *IZ_Policy_XAML_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4865,14 +5002,14 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4914,6 +5051,11 @@ ADMX Info:
+This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
+
+If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites.
+
+If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
> [!TIP]
@@ -4923,14 +5065,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use ActiveX controls without prompt*
- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -4972,6 +5114,11 @@ ADMX Info:
+This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.
+
+If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone.
+
+If you disable this policy setting, the TDC Active X control will run from all sites in this zone.
> [!TIP]
@@ -4981,14 +5128,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use the TDC ActiveX control*
- GP name: *IZ_PolicyAllowTDCControl_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5030,6 +5177,13 @@ ADMX Info:
+This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.
+
+If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.
+
+If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
+
+If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
> [!TIP]
@@ -5039,14 +5193,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow script-initiated windows without size or position constraints*
- GP name: *IZ_PolicyWindowsRestrictionsURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5088,6 +5242,13 @@ ADMX Info:
+This policy setting determines whether a page can control embedded WebBrowser controls via script.
+
+If you enable this policy setting, script access to the WebBrowser control is allowed.
+
+If you disable this policy setting, script access to the WebBrowser control is not allowed.
+
+If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.
> [!TIP]
@@ -5097,14 +5258,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scripting of Internet Explorer WebBrowser controls*
- GP name: *IZ_Policy_WebBrowserControl_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5162,14 +5323,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5229,14 +5390,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5278,6 +5439,11 @@ ADMX Info:
+This policy setting allows you to manage whether script is allowed to update the status bar within the zone.
+
+If you enable this policy setting, script is allowed to update the status bar.
+
+If you disable or do not configure this policy setting, script is not allowed to update the status bar.
> [!TIP]
@@ -5287,14 +5453,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow updates to status bar via script*
- GP name: *IZ_Policy_ScriptStatusBar_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5352,14 +5518,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5401,6 +5567,13 @@ ADMX Info:
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
> [!TIP]
@@ -5410,14 +5583,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5459,6 +5632,13 @@ ADMX Info:
+This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.
+
+If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
+
+If you disable the policy setting, signed controls cannot be downloaded.
+
+If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
> [!TIP]
@@ -5468,14 +5648,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download signed ActiveX controls*
- GP name: *IZ_PolicyDownloadSignedActiveX_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5517,6 +5697,13 @@ ADMX Info:
+This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
+
+If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
+
+If you disable this policy setting, users cannot run unsigned controls.
+
+If you do not configure this policy setting, users cannot run unsigned controls.
> [!TIP]
@@ -5526,14 +5713,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download unsigned ActiveX controls*
- GP name: *IZ_PolicyDownloadUnsignedActiveX_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5575,6 +5762,11 @@ ADMX Info:
+This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
+
+If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.
+
+If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.
> [!TIP]
@@ -5584,14 +5776,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Cross-Site Scripting Filter*
- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5633,6 +5825,15 @@ ADMX Info:
+This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.
+
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
+
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting.
+
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.
+
+In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
> [!TIP]
@@ -5642,14 +5843,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains across windows*
- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5691,6 +5892,15 @@ ADMX Info:
+This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.
+
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting.
+
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
+
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.
+
+In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
> [!TIP]
@@ -5700,14 +5910,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains within a window*
- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5749,6 +5959,13 @@ ADMX Info:
+This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.
+
+If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature.
+
+If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.
+
+If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone.
> [!TIP]
@@ -5758,14 +5975,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable MIME Sniffing*
- GP name: *IZ_PolicyMimeSniffingURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5807,6 +6024,13 @@ ADMX Info:
+This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
+
+If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode.
+
+If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode.
+
+If you do not configure this policy setting, the user can turn on or turn off Protected Mode.
> [!TIP]
@@ -5816,14 +6040,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Protected Mode*
- GP name: *IZ_Policy_TurnOnProtectedMode_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5865,6 +6089,13 @@ ADMX Info:
+This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
+
+If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form.
+
+If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form.
+
+If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.
> [!TIP]
@@ -5874,14 +6105,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Include local path when user is uploading files to a server*
- GP name: *IZ_Policy_LocalPathForUpload_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -5941,14 +6172,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6023,6 +6254,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, the permission is set to High Safety.
> [!TIP]
@@ -6032,14 +6276,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6081,6 +6325,13 @@ ADMX Info:
+This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
+
+If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
+
+If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
+
+If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
> [!TIP]
@@ -6090,14 +6341,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Launching applications and files in an IFRAME*
- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6139,6 +6390,21 @@ ADMX Info:
+This policy setting allows you to manage settings for logon options.
+
+If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.
+
+If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone.
> [!TIP]
@@ -6148,14 +6414,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Logon options*
- GP name: *IZ_PolicyLogon_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6213,14 +6479,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6262,6 +6528,13 @@ ADMX Info:
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
+
+If you disable this policy setting, Internet Explorer will not execute signed managed components.
+
+If you do not configure this policy setting, Internet Explorer will execute signed managed components.
> [!TIP]
@@ -6271,14 +6544,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components signed with Authenticode*
- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6320,6 +6593,13 @@ ADMX Info:
+This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
+
+If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.
+
+If you disable this policy setting, these files do not open.
+
+If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
> [!TIP]
@@ -6329,14 +6609,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Show security warning for potentially unsafe files*
- GP name: *IZ_Policy_UnsafeFiles_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6378,6 +6658,13 @@ ADMX Info:
+This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
+
+If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.
+
+If you disable this policy setting, pop-up windows are not prevented from appearing.
+
+If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.
> [!TIP]
@@ -6387,14 +6674,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use Pop-up Blocker*
- GP name: *IZ_PolicyBlockPopupWindows_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6452,14 +6739,14 @@ If you do not configure this policy setting, users are queried to choose whether
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6517,14 +6804,14 @@ If you do not configure this policy setting, users will receive a prompt when a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6580,14 +6867,14 @@ If you disable or do not configure this setting, users will receive a file downl
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6645,14 +6932,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6710,14 +6997,14 @@ If you do not configure this policy setting, Web sites from less privileged zone
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6775,14 +7062,14 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6840,14 +7127,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6907,14 +7194,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -6972,14 +7259,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7021,6 +7308,13 @@ ADMX Info:
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
> [!TIP]
@@ -7030,14 +7324,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7097,14 +7391,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7146,6 +7440,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, the permission is set to Medium Safety.
> [!TIP]
@@ -7155,14 +7462,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7220,14 +7527,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7285,14 +7592,14 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7350,14 +7657,14 @@ If you do not configure this policy setting, users will receive a prompt when a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7413,14 +7720,14 @@ If you disable or do not configure this setting, users will receive a file downl
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7478,14 +7785,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7543,14 +7850,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7608,14 +7915,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7673,14 +7980,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7740,14 +8047,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7805,14 +8112,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7854,6 +8161,13 @@ ADMX Info:
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
> [!TIP]
@@ -7863,14 +8177,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7930,14 +8244,14 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -7979,6 +8293,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, the permission is set to Medium Safety.
> [!TIP]
@@ -7988,14 +8315,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8053,14 +8380,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8118,14 +8445,14 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8183,14 +8510,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8246,14 +8573,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8311,14 +8638,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8376,14 +8703,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8441,14 +8768,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8506,14 +8833,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8573,14 +8900,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8638,14 +8965,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8705,14 +9032,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8754,6 +9081,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
@@ -8763,14 +9103,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8828,14 +9168,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8893,14 +9233,14 @@ If you do not configure this policy setting, users are queried to choose whether
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -8958,14 +9298,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9021,14 +9361,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9086,14 +9426,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9151,14 +9491,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9216,14 +9556,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9281,14 +9621,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9348,14 +9688,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9413,14 +9753,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9480,14 +9820,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9545,14 +9885,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9610,14 +9950,14 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9675,14 +10015,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9738,14 +10078,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9803,14 +10143,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9868,14 +10208,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9933,14 +10273,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -9998,14 +10338,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10065,14 +10405,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10130,14 +10470,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10197,14 +10537,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10246,6 +10586,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
@@ -10255,14 +10608,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10320,14 +10673,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10385,14 +10738,14 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10450,14 +10803,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10513,14 +10866,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10578,14 +10931,14 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10643,14 +10996,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10708,14 +11061,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10773,14 +11126,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10840,14 +11193,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10905,14 +11258,14 @@ If you do not configure this policy setting, users cannot preserve information i
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -10972,14 +11325,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11021,6 +11374,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
@@ -11030,14 +11396,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11095,14 +11461,14 @@ If you do not configure this policy setting, users cannot open other windows and
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11160,14 +11526,14 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11225,14 +11591,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11288,14 +11654,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11353,14 +11719,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11418,14 +11784,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11483,14 +11849,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11548,14 +11914,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11615,14 +11981,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11680,14 +12046,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11747,14 +12113,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11796,6 +12162,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
@@ -11805,14 +12184,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11870,14 +12249,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11919,6 +12298,13 @@ ADMX Info:
+The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail.
+
+If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.
+
+If you disable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes.
+
+If you do not configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.
> [!TIP]
@@ -11928,14 +12314,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_3*
- GP path: *Windows Components/Internet Explorer/Security Features/MK Protocol Security Restriction*
- GP ADMX file name: *inetres.admx*
-
+
@@ -11977,6 +12363,13 @@ ADMX Info:
+This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type.
+
+If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
+
+If you disable this policy setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type.
+
+If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
> [!TIP]
@@ -11986,14 +12379,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_6*
- GP path: *Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12035,6 +12428,13 @@ ADMX Info:
+This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes.
+
+If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes.
+
+If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes.
+
+If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes.
> [!TIP]
@@ -12044,14 +12444,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_10*
- GP path: *Windows Components/Internet Explorer/Security Features/Notification bar*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12093,6 +12493,11 @@ ADMX Info:
+This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware.
+
+If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.
+
+If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.
> [!TIP]
@@ -12102,14 +12507,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent managing SmartScreen Filter*
- GP name: *Disable_Managing_Safety_Filter_IE9*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12151,6 +12556,11 @@ ADMX Info:
+This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.
+
+If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis.
+
+If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis.
> [!TIP]
@@ -12160,14 +12570,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent per-user installation of ActiveX controls*
- GP name: *DisablePerUserActiveXInstall*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12209,6 +12619,11 @@ ADMX Info:
+Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, and so on). For example, Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users.
+
+If you enable this policy setting, any zone can be protected from zone elevation for all processes.
+
+If you disable or do not configure this policy setting, processes other than Internet Explorer or those listed in the Process List receive no such protection.
> [!TIP]
@@ -12218,14 +12633,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_9*
- GP path: *Windows Components/Internet Explorer/Security Features/Protection From Zone Elevation*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12267,6 +12682,13 @@ ADMX Info:
+This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer.
+
+If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.
+
+If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.
+
+For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
> [!TIP]
@@ -12276,14 +12698,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
- GP name: *VerMgmtDisableRunThisTime*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12325,6 +12747,11 @@ ADMX Info:
+This policy setting enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control installation.
+
+If you enable this policy setting, the Web Browser Control will block automatic prompting of ActiveX control installation for all processes.
+
+If you disable or do not configure this policy setting, the Web Browser Control will not block automatic prompting of ActiveX control installation for all processes.
> [!TIP]
@@ -12334,14 +12761,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_11*
- GP path: *Windows Components/Internet Explorer/Security Features/Restrict ActiveX Install*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12383,6 +12810,11 @@ ADMX Info:
+This policy setting enables applications hosting the Web Browser Control to block automatic prompting of file downloads that are not user initiated.
+
+If you enable this policy setting, the Web Browser Control will block automatic prompting of file downloads that are not user initiated for all processes.
+
+If you disable this policy setting, the Web Browser Control will not block automatic prompting of file downloads that are not user initiated for all processes.
> [!TIP]
@@ -12392,14 +12824,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_12*
- GP path: *Windows Components/Internet Explorer/Security Features/Restrict File Download*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12457,14 +12889,14 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12506,6 +12938,13 @@ ADMX Info:
+This policy setting allows you to manage whether script code on pages in the zone is run.
+
+If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.
+
+If you disable this policy setting, script code on pages in the zone is prevented from running.
+
+If you do not configure this policy setting, script code on pages in the zone is prevented from running.
> [!TIP]
@@ -12515,14 +12954,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow active scripting*
- GP name: *IZ_PolicyActiveScripting_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12580,14 +13019,14 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12643,14 +13082,14 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12692,6 +13131,13 @@ ADMX Info:
+This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.
+
+If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.
+
+If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.
+
+If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.
> [!TIP]
@@ -12701,14 +13147,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow binary and script behaviors*
- GP name: *IZ_PolicyBinaryBehaviors_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12750,6 +13196,15 @@ ADMX Info:
+This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
+
+If you enable this policy setting, a script can perform a clipboard operation.
+
+If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.
+
+If you disable this policy setting, a script cannot perform a clipboard operation.
+
+If you do not configure this policy setting, a script cannot perform a clipboard operation.
> [!TIP]
@@ -12759,14 +13214,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow cut, copy or paste operations from the clipboard via script*
- GP name: *IZ_PolicyAllowPasteViaScript_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12808,6 +13263,13 @@ ADMX Info:
+This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.
+
+If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.
+
+If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.
+
+If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone.
> [!TIP]
@@ -12817,14 +13279,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow drag and drop or copy and paste files*
- GP name: *IZ_PolicyDropOrPasteFiles_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12866,6 +13328,13 @@ ADMX Info:
+This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.
+
+If you enable this policy setting, files can be downloaded from the zone.
+
+If you disable this policy setting, files are prevented from being downloaded from the zone.
+
+If you do not configure this policy setting, files are prevented from being downloaded from the zone.
> [!TIP]
@@ -12875,14 +13344,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow file downloads*
- GP name: *IZ_PolicyFileDownload_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -12940,14 +13409,14 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13005,14 +13474,14 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13054,6 +13523,13 @@ ADMX Info:
+This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.
+
+If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files.
+
+If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.
+
+If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.
> [!TIP]
@@ -13063,14 +13539,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow loading of XAML files*
- GP name: *IZ_Policy_XAML_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13112,6 +13588,13 @@ ADMX Info:
+This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.
+
+If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.
+
+If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.
+
+If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.
> [!TIP]
@@ -13121,14 +13604,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow META REFRESH*
- GP name: *IZ_PolicyAllowMETAREFRESH_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13186,14 +13669,14 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13235,6 +13718,11 @@ ADMX Info:
+This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
+
+If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites.
+
+If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
> [!TIP]
@@ -13244,14 +13732,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use ActiveX controls without prompt*
- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13293,6 +13781,11 @@ ADMX Info:
+This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.
+
+If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone.
+
+If you disable this policy setting, the TDC Active X control will run from all sites in this zone.
> [!TIP]
@@ -13302,14 +13795,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use the TDC ActiveX control*
- GP name: *IZ_PolicyAllowTDCControl_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13351,6 +13844,13 @@ ADMX Info:
+This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.
+
+If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.
+
+If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
+
+If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
> [!TIP]
@@ -13360,14 +13860,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow script-initiated windows without size or position constraints*
- GP name: *IZ_PolicyWindowsRestrictionsURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13409,6 +13909,13 @@ ADMX Info:
+This policy setting determines whether a page can control embedded WebBrowser controls via script.
+
+If you enable this policy setting, script access to the WebBrowser control is allowed.
+
+If you disable this policy setting, script access to the WebBrowser control is not allowed.
+
+If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.
> [!TIP]
@@ -13418,14 +13925,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scripting of Internet Explorer WebBrowser controls*
- GP name: *IZ_Policy_WebBrowserControl_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13483,14 +13990,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13550,14 +14057,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13599,6 +14106,11 @@ ADMX Info:
+This policy setting allows you to manage whether script is allowed to update the status bar within the zone.
+
+If you enable this policy setting, script is allowed to update the status bar.
+
+If you disable or do not configure this policy setting, script is not allowed to update the status bar.
> [!TIP]
@@ -13608,14 +14120,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow updates to status bar via script*
- GP name: *IZ_Policy_ScriptStatusBar_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13673,14 +14185,14 @@ If you do not configure this policy setting, users cannot preserve information i
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13722,6 +14234,13 @@ ADMX Info:
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
> [!TIP]
@@ -13731,14 +14250,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13780,6 +14299,13 @@ ADMX Info:
+This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.
+
+If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
+
+If you disable the policy setting, signed controls cannot be downloaded.
+
+If you do not configure this policy setting, signed controls cannot be downloaded.
> [!TIP]
@@ -13789,14 +14315,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download signed ActiveX controls*
- GP name: *IZ_PolicyDownloadSignedActiveX_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13838,6 +14364,13 @@ ADMX Info:
+This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
+
+If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
+
+If you disable this policy setting, users cannot run unsigned controls.
+
+If you do not configure this policy setting, users cannot run unsigned controls.
> [!TIP]
@@ -13847,14 +14380,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download unsigned ActiveX controls*
- GP name: *IZ_PolicyDownloadUnsignedActiveX_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13896,6 +14429,11 @@ ADMX Info:
+This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
+
+If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.
+
+If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.
> [!TIP]
@@ -13905,14 +14443,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Cross-Site Scripting Filter*
- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -13954,6 +14492,15 @@ ADMX Info:
+This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.
+
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
+
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting.
+
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.
+
+In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
> [!TIP]
@@ -13963,14 +14510,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains across windows*
- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14012,6 +14559,15 @@ ADMX Info:
+This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.
+
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting.
+
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
+
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.
+
+In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
> [!TIP]
@@ -14021,14 +14577,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains within a window*
- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14070,6 +14626,13 @@ ADMX Info:
+This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.
+
+If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature.
+
+If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.
+
+If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.
> [!TIP]
@@ -14079,14 +14642,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable MIME Sniffing*
- GP name: *IZ_PolicyMimeSniffingURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14128,6 +14691,13 @@ ADMX Info:
+This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
+
+If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form.
+
+If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form.
+
+If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.
> [!TIP]
@@ -14137,14 +14707,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Include local path when user is uploading files to a server*
- GP name: *IZ_Policy_LocalPathForUpload_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14204,14 +14774,14 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14253,6 +14823,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
> [!TIP]
@@ -14262,14 +14845,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14311,6 +14894,13 @@ ADMX Info:
+This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
+
+If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
+
+If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
+
+If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
> [!TIP]
@@ -14320,14 +14910,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Launching applications and files in an IFRAME*
- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14369,6 +14959,21 @@ ADMX Info:
+This policy setting allows you to manage settings for logon options.
+
+If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.
+
+If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+If you do not configure this policy setting, logon is set to Prompt for username and password.
> [!TIP]
@@ -14378,14 +14983,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Logon options*
- GP name: *IZ_PolicyLogon_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14443,14 +15048,14 @@ If you do not configure this policy setting, users cannot open other windows and
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14492,6 +15097,15 @@ ADMX Info:
+This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.
+
+If you enable this policy setting, controls and plug-ins can run without user intervention.
+
+If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.
+
+If you disable this policy setting, controls and plug-ins are prevented from running.
+
+If you do not configure this policy setting, controls and plug-ins are prevented from running.
> [!TIP]
@@ -14501,14 +15115,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run ActiveX controls and plugins*
- GP name: *IZ_PolicyRunActiveXControls_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14550,6 +15164,13 @@ ADMX Info:
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
+
+If you disable this policy setting, Internet Explorer will not execute signed managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute signed managed components.
> [!TIP]
@@ -14559,14 +15180,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components signed with Authenticode*
- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14608,6 +15229,15 @@ ADMX Info:
+This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.
+
+If you enable this policy setting, script interaction can occur automatically without user intervention.
+
+If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.
+
+If you disable this policy setting, script interaction is prevented from occurring.
+
+If you do not configure this policy setting, script interaction is prevented from occurring.
> [!TIP]
@@ -14617,14 +15247,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Script ActiveX controls marked safe for scripting*
- GP name: *IZ_PolicyScriptActiveXMarkedSafe_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14666,6 +15296,15 @@ ADMX Info:
+This policy setting allows you to manage whether applets are exposed to scripts within the zone.
+
+If you enable this policy setting, scripts can access applets automatically without user intervention.
+
+If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.
+
+If you disable this policy setting, scripts are prevented from accessing applets.
+
+If you do not configure this policy setting, scripts are prevented from accessing applets.
> [!TIP]
@@ -14675,14 +15314,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Scripting of Java applets*
- GP name: *IZ_PolicyScriptingOfJavaApplets_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14724,6 +15363,13 @@ ADMX Info:
+This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
+
+If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.
+
+If you disable this policy setting, these files do not open.
+
+If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
> [!TIP]
@@ -14733,14 +15379,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Show security warning for potentially unsafe files*
- GP name: *IZ_Policy_UnsafeFiles_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14782,6 +15428,13 @@ ADMX Info:
+This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
+
+If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode.
+
+If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode.
+
+If you do not configure this policy setting, the user can turn on or turn off Protected Mode.
> [!TIP]
@@ -14791,14 +15444,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Protected Mode*
- GP name: *IZ_Policy_TurnOnProtectedMode_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14840,6 +15493,13 @@ ADMX Info:
+This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
+
+If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.
+
+If you disable this policy setting, pop-up windows are not prevented from appearing.
+
+If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.
> [!TIP]
@@ -14849,14 +15509,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use Pop-up Blocker*
- GP name: *IZ_PolicyBlockPopupWindows_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14898,6 +15558,11 @@ ADMX Info:
+Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.
+
+If you enable this policy setting, scripted windows are restricted for all processes.
+
+If you disable or do not configure this policy setting, scripted windows are not restricted.
> [!TIP]
@@ -14907,14 +15572,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_8*
- GP path: *Windows Components/Internet Explorer/Security Features/Scripted Window Security Restrictions*
- GP ADMX file name: *inetres.admx*
-
+
@@ -14970,14 +15635,14 @@ If you disable or do not configure this policy setting, the user can configure h
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Restrict search providers to a specific list*
- GP name: *SpecificSearchProvider*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15018,6 +15683,15 @@ ADMX Info:
+Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level.
+
+If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer.
+
+If you disable this policy or do not configure it, users of the same computer can establish their own security zone settings.
+
+This policy is intended to ensure that security zone settings apply uniformly to the same computer and do not vary from user to user.
+
+Also, see the "Security zones: Do not allow users to change policies" policy.
> [!TIP]
@@ -15027,14 +15701,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Security Zones: Use only machine settings *
- GP name: *Security_HKLM_only*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15076,6 +15750,11 @@ ADMX Info:
+This policy setting allows you to specify how ActiveX controls are installed.
+
+If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls.
+
+If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process.
> [!TIP]
@@ -15085,14 +15764,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify use of ActiveX Installer Service for installation of ActiveX controls*
- GP name: *OnlyUseAXISForActiveXInstall*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15150,14 +15829,14 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15215,14 +15894,14 @@ If you do not configure this policy setting, users will receive a prompt when a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15278,14 +15957,14 @@ If you disable or do not configure this setting, users will receive a file downl
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15343,14 +16022,14 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15408,14 +16087,14 @@ If you do not configure this policy setting, a warning is issued to the user tha
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15473,14 +16152,14 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15538,14 +16217,14 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15605,14 +16284,14 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15670,14 +16349,14 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15719,6 +16398,13 @@ ADMX Info:
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
> [!TIP]
@@ -15728,14 +16414,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15795,14 +16481,14 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15844,6 +16530,19 @@ ADMX Info:
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, the permission is set to Low Safety.
> [!TIP]
@@ -15853,14 +16552,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
@@ -15918,14 +16617,14 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 361a19a81c..6831acebc5 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Kerberos
@@ -89,14 +89,14 @@ If you disable or do not configure this policy setting, the Kerberos client does
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use forest search order*
- GP name: *ForestSearch*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
+
@@ -137,7 +137,7 @@ ADMX Info:
-This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
+This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
@@ -150,14 +150,14 @@ If you disable or do not configure this policy setting, the client devices will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
+
@@ -202,9 +202,9 @@ This policy setting controls whether a computer requires that Kerberos message e
Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
-If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
+If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
-Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
+Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
@@ -216,14 +216,14 @@ If you disable or do not configure this policy setting, the client computers in
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Fail authentication requests when Kerberos armoring is not available*
- GP name: *ClientRequireFast*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
+
@@ -264,7 +264,7 @@ ADMX Info:
-This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
+This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
@@ -278,14 +278,14 @@ If you disable or do not configure this policy setting, the Kerberos client requ
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require strict KDC validation*
- GP name: *ValidateKDC*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
+
@@ -328,11 +328,11 @@ ADMX Info:
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
-The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
+The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
-If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
+If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
@@ -344,14 +344,14 @@ Note: This policy setting configures the existing MaxTokenSize registry value in
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set maximum Kerberos SSPI context token buffer size*
- GP name: *MaxTokenSize*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index 66109605f7..0e063d9b5f 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Licensing
@@ -69,6 +69,14 @@ ms.date: 01/30/2018
Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
+
+ADMX Info:
+- GP English name: *Control Device Reactivation for Retail devices*
+- GP name: *AllowWindowsEntitlementReactivation*
+- GP path: *Windows Components/Software Protection Platform*
+- GP ADMX file name: *AVSValidationGP.admx*
+
+
The following list shows the supported values:
@@ -119,6 +127,14 @@ The following list shows the supported values:
Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
+
+ADMX Info:
+- GP English name: *Turn off KMS Client Online AVS Validation*
+- GP name: *NoAcquireGT*
+- GP path: *Windows Components/Software Protection Platform*
+- GP ADMX file name: *AVSValidationGP.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index f67234078a..1ffde8a086 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - LocalPoliciesSecurityOptions
@@ -238,6 +238,12 @@ If you disable or do not configure this policy (recommended), users will be able
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Accounts: Block Microsoft accounts*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
The following list shows the supported values:
@@ -297,6 +303,12 @@ Default: Disabled.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Accounts: Administrator account status*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - local Administrator account is disabled
@@ -352,6 +364,12 @@ Note: If the Guest account is disabled and the security option Network Access: S
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Accounts: Guest account status*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - local Guest account is disabled
@@ -415,6 +433,12 @@ It is possible for applications that use remote interactive logons to bypass thi
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Accounts: Limit local account use of blank passwords to console logon only*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console
@@ -470,6 +494,12 @@ Default: Administrator.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Accounts: Rename administrator account*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -519,6 +549,12 @@ Default: Guest.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Accounts: Rename guest account*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -569,6 +605,12 @@ Caution:
Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
+
+GP Info:
+- GP English name: *Devices: Allow undock without having to log on*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -619,6 +661,12 @@ This security setting determines who is allowed to format and eject removable NT
Default: This policy is not defined and only Administrators have this ability.
+
+GP Info:
+- GP English name: *Devices: Allowed to format and eject removable media*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -671,6 +719,12 @@ Note
This setting does not affect the ability to add a local printer. This setting does not affect Administrators.
+
+GP Info:
+- GP English name: *Devices: Prevent users from installing printer drivers*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -720,6 +774,12 @@ If this policy is enabled, it allows only the interactively logged-on user to ac
Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
+
+GP Info:
+- GP English name: *Devices: Restrict CD-ROM access to locally logged-on user only*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -780,6 +840,12 @@ If this policy is enabled, the policy Domain member: Digitally sign secure chann
Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+GP Info:
+- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -837,6 +903,12 @@ There is no known reason for disabling this setting. Besides unnecessarily reduc
Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+GP Info:
+- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -888,6 +960,12 @@ This setting determines whether or not the domain member attempts to negotiate s
Default: Enabled.
+
+GP Info:
+- GP English name: *Domain member: Digitally sign secure channel data (when possible)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -940,6 +1018,12 @@ This security setting should not be enabled. Computer account passwords are used
This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+GP Info:
+- GP English name: *Domain member: Disable machine account password changes*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -991,6 +1075,12 @@ Important
This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
+
+GP Info:
+- GP English name: *Domain member: Maximum machine account password age*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1053,6 +1143,12 @@ In order to take advantage of this policy on member workstations and servers, al
In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
+
+GP Info:
+- GP English name: *Domain member: Require strong (Windows 2000 or later) session key*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1099,6 +1195,12 @@ Interactive Logon:Display user information when the session is locked
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Display user information when the session is locked*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 1 - User display name, domain and user names
@@ -1158,6 +1260,12 @@ Default: Disabled.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Don't display last signed-in*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled (username will be shown)
@@ -1217,6 +1325,12 @@ Default: Disabled.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Don't display username at sign-in*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled (username will be shown)
@@ -1277,6 +1391,12 @@ Default on stand-alone computers: Enabled.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Do not require CTRL+ALT+DEL*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled
@@ -1332,6 +1452,12 @@ Default: not enforced.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Machine inactivity limit*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled
@@ -1389,6 +1515,12 @@ Default: No message.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Message text for users attempting to log on*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1438,6 +1570,12 @@ Default: No message.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Interactive logon: Message title for users attempting to log on*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1502,6 +1640,12 @@ Default: This policy is not defined, which means that the system treats it as No
On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
+
+GP Info:
+- GP English name: *Interactive logon: Smart card removal behavior*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1567,6 +1711,12 @@ SMB packet signing can significantly degrade SMB performance, depending on diale
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+GP Info:
+- GP English name: *Microsoft network client: Digitally sign communications (always)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1629,6 +1779,12 @@ SMB packet signing can significantly degrade SMB performance, depending on diale
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+GP Info:
+- GP English name: *Microsoft network client: Digitally sign communications (if server agrees)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1678,6 +1834,12 @@ Sending unencrypted passwords is a security risk.
Default: Disabled.
+
+GP Info:
+- GP English name: *Microsoft network client: Send unencrypted password to third-party SMB servers*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1729,6 +1891,12 @@ For this policy setting, a value of 0 means to disconnect an idle session as qui
Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+GP Info:
+- GP English name: *Microsoft network server: Amount of idle time required before suspending session*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1803,6 +1971,12 @@ HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecurity
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+GP Info:
+- GP English name: *Microsoft network server: Digitally sign communications (always)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1869,6 +2043,12 @@ SMB packet signing can significantly degrade SMB performance, depending on diale
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+GP Info:
+- GP English name: *Microsoft network server: Digitally sign communications (if client agrees)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1928,6 +2108,12 @@ Important
This policy has no impact on domain controllers.
+
+GP Info:
+- GP English name: *Network access: Do not allow anonymous enumeration of SAM accounts*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -1977,6 +2163,12 @@ Windows allows anonymous users to perform certain activities, such as enumeratin
Default: Disabled.
+
+GP Info:
+- GP English name: *Network access: Do not allow anonymous enumeration of SAM accounts and shares*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2077,6 +2269,12 @@ Network access: Shares that can be accessed anonymously
Default: Enabled.
+
+GP Info:
+- GP English name: *Network access: Restrict anonymous access to Named Pipes and Shares*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2126,6 +2324,12 @@ If not selected, the default security descriptor will be used.
This policy is supported on at least Windows Server 2016.
+
+GP Info:
+- GP English name: *Network access: Restrict clients allowed to make remote calls to SAM*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2231,6 +2435,12 @@ This policy will be turned off by default on domain joined machines. This would
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Network security: Allow PKU2U authentication requests to this computer to use online identities.*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled
@@ -2291,6 +2501,12 @@ Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authenticat
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
+
+GP Info:
+- GP English name: *Network security: Do not store LAN Manager hash value on next password change*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2360,6 +2576,12 @@ Windows Server 2003: Send NTLM response only
Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+
+GP Info:
+- GP English name: *Network security: LAN Manager authentication level*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2414,6 +2636,12 @@ Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+GP Info:
+- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2468,6 +2696,12 @@ Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+GP Info:
+- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) servers*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2568,6 +2802,12 @@ Default on servers: Disabled.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *Shutdown: Allow system to be shut down without having to log on*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled
@@ -2625,6 +2865,12 @@ When this policy is enabled, it causes the system pagefile to be cleared upon cl
Default: Disabled.
+
+GP Info:
+- GP English name: *Shutdown: Clear virtual memory pagefile*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2727,6 +2973,12 @@ The secure desktop can be disabled only by the user of the interactive desktop o
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
Valid values:
- 0 - disabled
@@ -2794,6 +3046,12 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2840,6 +3098,12 @@ This policy setting controls the behavior of the elevation prompt for standard u
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Behavior of the elevation prompt for standard users*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
The following list shows the supported values:
@@ -2899,6 +3163,12 @@ Enabled: (Default) When an application installation package is detected that req
Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
+
+GP Info:
+- GP English name: *User Account Control: Detect application installations and prompt for elevation*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -2950,6 +3220,12 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Only elevate executables that are signed and validated*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -3007,6 +3283,12 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Only elevate UIAccess applications that are installed in secure locations*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -3059,6 +3341,12 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Run all administrators in Admin Approval Mode*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -3110,6 +3398,12 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Switch to the secure desktop when prompting for elevation*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -3161,6 +3455,12 @@ The options are:
• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
+
+GP Info:
+- GP English name: *User Account Control: Admin Approval Mode for the Built-in Administrator account*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
@@ -3208,6 +3508,12 @@ This policy setting controls whether application write failures are redirected t
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+GP Info:
+- GP English name: *User Account Control: Virtualize file and registry write failures to per-user locations*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md
index ac9c25abfa..18e7a7fd97 100644
--- a/windows/client-management/mdm/policy-csp-location.md
+++ b/windows/client-management/mdm/policy-csp-location.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Location
@@ -69,6 +69,14 @@ Added in Windows 10, version 1703. Optional policy that allows for IT admin to
> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy.
+
+ADMX Info:
+- GP English name: *Turn off Windows Location Provider*
+- GP name: *DisableWindowsLocationProvider_1*
+- GP path: *Windows Components/Location and Sensors/Windows Location Provider*
+- GP ADMX file name: *LocationProviderAdm.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index a63d073566..be9c02f1d7 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - LockDown
@@ -68,6 +68,14 @@ Added in Windows 10, version 1607. Allows the user to invoke any system user in
The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
+
+ADMX Info:
+- GP English name: *Allow edge swipe*
+- GP name: *AllowEdgeSwipe*
+- GP path: *Windows Components/Edge UI*
+- GP ADMX file name: *EdgeUI.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index 4d5a5f55ec..d60af40683 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Maps
@@ -124,6 +124,14 @@ Added in Windows 10, version 1607. Disables the automatic download and update o
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
+
+ADMX Info:
+- GP English name: *Turn off Automatic Download and Update of Map Data*
+- GP name: *TurnOffAutoUpdate*
+- GP path: *Windows Components/Maps*
+- GP ADMX file name: *WinMaps.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index abd33e0f71..2ad6d83fe0 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Messaging
@@ -125,6 +125,14 @@ The following list shows the supported values:
Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
+
+ADMX Info:
+- GP English name: *Allow Message Service Cloud Sync*
+- GP name: *AllowMessageSync*
+- GP path: *Windows Components/Messaging*
+- GP ADMX file name: *messaging.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 445d9a8d6d..70db29303b 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - NetworkIsolation
@@ -87,6 +87,15 @@ ms.date: 01/30/2018
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**.
+
+ADMX Info:
+- GP English name: *Enterprise resource domains hosted in the cloud*
+- GP name: *WF_NetIsolation_EnterpriseCloudResources*
+- GP element: *WF_NetIsolation_EnterpriseCloudResourcesBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
@@ -130,6 +139,15 @@ Contains a list of Enterprise resource domains hosted in the cloud that need to
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges.
+
+ADMX Info:
+- GP English name: *Private network ranges for apps*
+- GP name: *WF_NetIsolation_PrivateSubnet*
+- GP element: *WF_NetIsolation_PrivateSubnetBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
For example:
@@ -186,6 +204,14 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
+
+ADMX Info:
+- GP English name: *Subnet definitions are authoritative*
+- GP name: *WF_NetIsolation_Authoritative_Subnet*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
@@ -229,6 +255,15 @@ Boolean value that tells the client to accept the configured list and not to use
This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
+
+ADMX Info:
+- GP English name: *Intranet proxy servers for apps*
+- GP name: *WF_NetIsolation_Intranet_Proxies*
+- GP element: *WF_NetIsolation_Intranet_ProxiesBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
@@ -325,6 +360,15 @@ Here are the steps to create canonical domain names:
This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
+
+ADMX Info:
+- GP English name: *Internet proxy servers for apps*
+- GP name: *WF_NetIsolation_Domain_Proxies*
+- GP element: *WF_NetIsolation_Domain_ProxiesBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
@@ -368,6 +412,14 @@ This is a comma-separated list of proxy servers. Any server on this list is cons
Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
+
+ADMX Info:
+- GP English name: *Proxy definitions are authoritative*
+- GP name: *WF_NetIsolation_Authoritative_Proxies*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
@@ -411,6 +463,15 @@ Boolean value that tells the client to accept the configured list of proxies and
List of domain names that can used for work or personal resource.
+
+ADMX Info:
+- GP English name: *Domains categorized as both work and personal*
+- GP name: *WF_NetIsolation_NeutralResources*
+- GP element: *WF_NetIsolation_NeutralResourcesBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 2f8a4559f5..b4363ef967 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Notifications
@@ -70,6 +70,14 @@ For each user logged into the device, if you enable this policy (set value to 1)
No reboot or service restart is required for this policy to take effect.
+
+ADMX Info:
+- GP English name: *Turn off notification mirroring*
+- GP name: *NoNotificationMirroring*
+- GP path: *Start Menu and Taskbar/Notifications*
+- GP ADMX file name: *WPN.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 5bc495e5d8..c69cf5db4a 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Power
@@ -101,14 +101,14 @@ If you disable this policy setting, standby states (S1-S3) are not allowed.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow standby states (S1-S3) when sleeping (plugged in)*
- GP name: *AllowStandbyStatesAC_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -149,13 +149,13 @@ ADMX Info:
-Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows turns off the display.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
If you disable or do not configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
> [!TIP]
@@ -165,14 +165,14 @@ If the user has configured a slide show to run on the lock screen when the machi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the display (on battery)*
- GP name: *VideoPowerDownTimeOutDC_2*
- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -213,13 +213,13 @@ ADMX Info:
-Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows turns off the display.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
If you disable or do not configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
> [!TIP]
@@ -229,14 +229,14 @@ If the user has configured a slide show to run on the lock screen when the machi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the display (plugged in)*
- GP name: *VideoPowerDownTimeOutAC_2*
- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -277,14 +277,13 @@ ADMX Info:
-Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
If you disable or do not configure this policy setting, users control this setting.
-
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
> [!TIP]
@@ -294,14 +293,14 @@ If the user has configured a slide show to run on the lock screen when the machi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system hibernate timeout (on battery)*
- GP name: *DCHibernateTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -342,13 +341,13 @@ ADMX Info:
-Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
If you disable or do not configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
> [!TIP]
@@ -358,14 +357,14 @@ If the user has configured a slide show to run on the lock screen when the machi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system hibernate timeout (plugged in)*
- GP name: *ACHibernateTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -420,14 +419,14 @@ If you disable this policy setting, the user is not prompted for a password when
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require a password when a computer wakes (on battery)*
- GP name: *DCPromptForPasswordOnResume_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -482,14 +481,14 @@ If you disable this policy setting, the user is not prompted for a password when
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require a password when a computer wakes (plugged in)*
- GP name: *ACPromptForPasswordOnResume_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -530,13 +529,13 @@ ADMX Info:
-Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
If you disable or do not configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
> [!TIP]
@@ -546,14 +545,14 @@ If the user has configured a slide show to run on the lock screen when the machi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system sleep timeout (on battery)*
- GP name: *DCStandbyTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
@@ -594,13 +593,13 @@ ADMX Info:
-Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
If you disable or do not configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
> [!TIP]
@@ -610,14 +609,14 @@ If the user has configured a slide show to run on the lock screen when the machi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system sleep timeout (plugged in)*
- GP name: *ACStandbyTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index 2e10fa65e7..fd0939f604 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Printers
@@ -96,14 +96,14 @@ If you disable this policy setting:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions_Win7*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
-
+
@@ -171,14 +171,14 @@ If you disable this policy setting:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions*
- GP path: *Control Panel/Printers*
- GP ADMX file name: *Printing.admx*
-
+
@@ -235,14 +235,14 @@ Note: This settings takes priority over the setting "Automatically publish new p
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow printers to be published*
- GP name: *PublishPrinters*
- GP path: *Printers*
- GP ADMX file name: *Printing2.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index c42149d2f1..3595219241 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Privacy
@@ -352,6 +352,14 @@ Updated in Windows 10, version 1709. Allows the usage of cloud based speech serv
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow input personalization*
+- GP name: *AllowInputPersonalization*
+- GP path: *Control Panel/Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
The following list shows the supported values:
@@ -404,6 +412,14 @@ Added in Windows 10, version 1607. Enables or disables the Advertising ID.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Turn off the advertising ID*
+- GP name: *DisableAdvertisingId*
+- GP path: *System/User Profiles*
+- GP ADMX file name: *UserProfiles.admx*
+
+
The following list shows the supported values:
@@ -455,6 +471,14 @@ The following list shows the supported values:
Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed.
+
+ADMX Info:
+- GP English name: *Enables Activity Feed*
+- GP name: *EnableActivityFeed*
+- GP path: *System/OS Policies*
+- GP ADMX file name: *OSPolicy.admx*
+
+
The following list shows the supported values:
@@ -508,6 +532,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access ac
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access account information*
+- GP name: *LetAppsAccessAccountInfo*
+- GP element: *LetAppsAccessAccountInfo_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -559,6 +592,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access account information*
+- GP name: *LetAppsAccessAccountInfo*
+- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -602,6 +644,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access account information*
+- GP name: *LetAppsAccessAccountInfo*
+- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -645,6 +696,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access account information*
+- GP name: *LetAppsAccessAccountInfo*
+- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -691,6 +751,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access th
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the calendar*
+- GP name: *LetAppsAccessCalendar*
+- GP element: *LetAppsAccessCalendar_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -742,6 +811,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the calendar*
+- GP name: *LetAppsAccessCalendar*
+- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -785,6 +863,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the calendar*
+- GP name: *LetAppsAccessCalendar*
+- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -828,6 +915,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the calendar*
+- GP name: *LetAppsAccessCalendar*
+- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -874,6 +970,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access ca
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access call history*
+- GP name: *LetAppsAccessCallHistory*
+- GP element: *LetAppsAccessCallHistory_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -925,6 +1030,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access call history*
+- GP name: *LetAppsAccessCallHistory*
+- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -968,6 +1082,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access call history*
+- GP name: *LetAppsAccessCallHistory*
+- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1011,6 +1134,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access call history*
+- GP name: *LetAppsAccessCallHistory*
+- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1057,6 +1189,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access th
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the camera*
+- GP name: *LetAppsAccessCamera*
+- GP element: *LetAppsAccessCamera_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -1108,6 +1249,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the camera*
+- GP name: *LetAppsAccessCamera*
+- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1151,6 +1301,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the camera*
+- GP name: *LetAppsAccessCamera*
+- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1194,6 +1353,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the camera*
+- GP name: *LetAppsAccessCamera*
+- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1240,6 +1408,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access co
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access contacts*
+- GP name: *LetAppsAccessContacts*
+- GP element: *LetAppsAccessContacts_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -1291,6 +1468,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access contacts*
+- GP name: *LetAppsAccessContacts*
+- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1334,6 +1520,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access contacts*
+- GP name: *LetAppsAccessContacts*
+- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1377,6 +1572,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access contacts*
+- GP name: *LetAppsAccessContacts*
+- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1423,6 +1627,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access em
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access email*
+- GP name: *LetAppsAccessEmail*
+- GP element: *LetAppsAccessEmail_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -1474,6 +1687,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access email*
+- GP name: *LetAppsAccessEmail*
+- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1517,6 +1739,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access email*
+- GP name: *LetAppsAccessEmail*
+- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1560,6 +1791,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access email*
+- GP name: *LetAppsAccessEmail*
+- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1606,6 +1846,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access lo
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access location*
+- GP name: *LetAppsAccessLocation*
+- GP element: *LetAppsAccessLocation_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -1657,6 +1906,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access location*
+- GP name: *LetAppsAccessLocation*
+- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1700,6 +1958,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access location*
+- GP name: *LetAppsAccessLocation*
+- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1743,6 +2010,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access location*
+- GP name: *LetAppsAccessLocation*
+- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1789,6 +2065,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can read or s
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access messaging*
+- GP name: *LetAppsAccessMessaging*
+- GP element: *LetAppsAccessMessaging_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -1840,6 +2125,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access messaging*
+- GP name: *LetAppsAccessMessaging*
+- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1883,6 +2177,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access messaging*
+- GP name: *LetAppsAccessMessaging*
+- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1926,6 +2229,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access messaging*
+- GP name: *LetAppsAccessMessaging*
+- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -1972,6 +2284,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access th
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the microphone*
+- GP name: *LetAppsAccessMicrophone*
+- GP element: *LetAppsAccessMicrophone_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -2023,6 +2344,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the microphone*
+- GP name: *LetAppsAccessMicrophone*
+- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2066,6 +2396,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the microphone*
+- GP name: *LetAppsAccessMicrophone*
+- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2109,6 +2448,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access the microphone*
+- GP name: *LetAppsAccessMicrophone*
+- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2155,6 +2503,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access mo
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access motion*
+- GP name: *LetAppsAccessMotion*
+- GP element: *LetAppsAccessMotion_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -2206,6 +2563,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access motion*
+- GP name: *LetAppsAccessMotion*
+- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2249,6 +2615,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access motion*
+- GP name: *LetAppsAccessMotion*
+- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2292,6 +2667,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access motion*
+- GP name: *LetAppsAccessMotion*
+- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2338,6 +2722,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access no
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access notifications*
+- GP name: *LetAppsAccessNotifications*
+- GP element: *LetAppsAccessNotifications_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -2389,6 +2782,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access notifications*
+- GP name: *LetAppsAccessNotifications*
+- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2432,6 +2834,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access notifications*
+- GP name: *LetAppsAccessNotifications*
+- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2475,6 +2886,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access notifications*
+- GP name: *LetAppsAccessNotifications*
+- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2521,6 +2941,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can make phon
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps make phone calls*
+- GP name: *LetAppsAccessPhone*
+- GP element: *LetAppsAccessPhone_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -2572,6 +3001,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps make phone calls*
+- GP name: *LetAppsAccessPhone*
+- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2615,6 +3053,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps make phone calls*
+- GP name: *LetAppsAccessPhone*
+- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2658,6 +3105,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps make phone calls*
+- GP name: *LetAppsAccessPhone*
+- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2704,6 +3160,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps have access t
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps control radios*
+- GP name: *LetAppsAccessRadios*
+- GP element: *LetAppsAccessRadios_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -2755,6 +3220,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps control radios*
+- GP name: *LetAppsAccessRadios*
+- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2798,6 +3272,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps control radios*
+- GP name: *LetAppsAccessRadios*
+- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2841,6 +3324,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps control radios*
+- GP name: *LetAppsAccessRadios*
+- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2884,6 +3376,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
+
+ADMX Info:
+- GP English name: *Let Windows apps access Tasks*
+- GP name: *LetAppsAccessTasks*
+- GP element: *LetAppsAccessTasks_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2927,6 +3428,15 @@ Added in Windows 10, version 1703. Specifies whether Windows apps can access tas
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access Tasks*
+- GP name: *LetAppsAccessTasks*
+- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -2970,6 +3480,15 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family N
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access Tasks*
+- GP name: *LetAppsAccessTasks*
+- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3013,6 +3532,15 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family N
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access Tasks*
+- GP name: *LetAppsAccessTasks*
+- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3059,6 +3587,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can access tr
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access trusted devices*
+- GP name: *LetAppsAccessTrustedDevices*
+- GP element: *LetAppsAccessTrustedDevices_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -3110,6 +3647,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access trusted devices*
+- GP name: *LetAppsAccessTrustedDevices*
+- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3153,6 +3699,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access trusted devices*
+- GP name: *LetAppsAccessTrustedDevices*
+- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3196,6 +3751,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access trusted devices*
+- GP name: *LetAppsAccessTrustedDevices*
+- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3242,6 +3806,15 @@ Added in Windows 10, version 1703. Force allow, force deny or give user control
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps access diagnostic information about other apps*
+- GP name: *LetAppsGetDiagnosticInfo*
+- GP element: *LetAppsGetDiagnosticInfo_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -3293,6 +3866,15 @@ The following list shows the supported values:
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access diagnostic information about other apps*
+- GP name: *LetAppsGetDiagnosticInfo*
+- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3336,6 +3918,15 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access diagnostic information about other apps*
+- GP name: *LetAppsGetDiagnosticInfo*
+- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3379,6 +3970,15 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps access diagnostic information about other apps*
+- GP name: *LetAppsGetDiagnosticInfo*
+- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3427,6 +4027,15 @@ Most restricted value is 2.
> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly.
+
+ADMX Info:
+- GP English name: *Let Windows apps run in the background*
+- GP name: *LetAppsRunInBackground*
+- GP element: *LetAppsRunInBackground_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -3478,6 +4087,15 @@ The following list shows the supported values:
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps run in the background*
+- GP name: *LetAppsRunInBackground*
+- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3521,6 +4139,15 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps run in the background*
+- GP name: *LetAppsRunInBackground*
+- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3564,6 +4191,15 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps run in the background*
+- GP name: *LetAppsRunInBackground*
+- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3610,6 +4246,15 @@ Added in Windows 10, version 1607. Specifies whether Windows apps can sync with
Most restricted value is 2.
+
+ADMX Info:
+- GP English name: *Let Windows apps communicate with unpaired devices*
+- GP name: *LetAppsSyncWithDevices*
+- GP element: *LetAppsSyncWithDevices_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
The following list shows the supported values:
@@ -3661,6 +4306,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps communicate with unpaired devices*
+- GP name: *LetAppsSyncWithDevices*
+- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3704,6 +4358,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps communicate with unpaired devices*
+- GP name: *LetAppsSyncWithDevices*
+- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3747,6 +4410,15 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+ADMX Info:
+- GP English name: *Let Windows apps communicate with unpaired devices*
+- GP name: *LetAppsSyncWithDevices*
+- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
@@ -3790,6 +4462,14 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family
Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed.
+
+ADMX Info:
+- GP English name: *Allow publishing of User Activities*
+- GP name: *PublishUserActivities*
+- GP path: *System/OS Policies*
+- GP ADMX file name: *OSPolicy.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index 79ab76a706..a26dd4c251 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - RemoteAssistance
@@ -92,14 +92,14 @@ If you do not configure this policy setting, the user sees the default warning m
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Customize warning messages*
- GP name: *RA_Options*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
+
@@ -156,14 +156,14 @@ If you do not configure this setting, application-based settings are used.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on session logging*
- GP name: *RA_Logging*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
+
@@ -228,14 +228,14 @@ If you enable this policy setting you should also enable appropriate firewall ex
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Configure Solicited Remote Assistance*
- GP name: *RA_Solicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
+
@@ -323,14 +323,14 @@ Allow Remote Desktop Exception
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Configure Offer Remote Assistance*
- GP name: *RA_Unsolicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index 79615e7c27..3af7f7ca34 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - RemoteDesktopServices
@@ -84,9 +84,9 @@ If you enable this policy setting, users who are members of the Remote Desktop U
If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.
-If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
+If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
-Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
+Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
@@ -98,14 +98,14 @@ You can limit the number of users who can connect simultaneously by configuring
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow users to connect remotely by using Remote Desktop Services*
- GP name: *TS_DISABLE_CONNECTIONS*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
- GP ADMX file name: *terminalserver.admx*
-
+
@@ -170,14 +170,14 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set client connection encryption level*
- GP name: *TS_ENCRYPTION_POLICY*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
-
+
@@ -236,14 +236,14 @@ If you do not configure this policy setting, client drive redirection and Clipbo
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow drive redirection*
- GP name: *TS_CLIENT_DRIVE_M*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
- GP ADMX file name: *terminalserver.admx*
-
+
@@ -298,14 +298,14 @@ If you disable this setting or leave it not configured, the user will be able to
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow passwords to be saved*
- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
- GP ADMX file name: *terminalserver.admx*
-
+
@@ -366,14 +366,14 @@ If you do not configure this policy setting, automatic logon is not specified at
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Always prompt for password upon connection*
- GP name: *TS_PASSWORD*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
-
+
@@ -434,14 +434,14 @@ Note: The RPC interface is used for administering and configuring Remote Desktop
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require secure RPC communication*
- GP name: *TS_RPC_ENCRYPTION*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 609bfc4763..67d82bb4f9 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - RemoteManagement
@@ -105,6 +105,11 @@ ms.date: 01/30/2018
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.
+
+If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.
+
+If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication.
> [!TIP]
@@ -114,14 +119,14 @@ ms.date: 01/30/2018
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow Basic authentication*
- GP name: *AllowBasic_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -162,6 +167,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client.
+
+If you enable this policy setting, the WinRM service accepts Basic authentication from a remote client.
+
+If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client.
> [!TIP]
@@ -171,14 +181,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow Basic authentication*
- GP name: *AllowBasic_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -219,6 +229,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses CredSSP authentication.
+
+If you enable this policy setting, the WinRM client uses CredSSP authentication.
+
+If you disable or do not configure this policy setting, the WinRM client does not use CredSSP authentication.
> [!TIP]
@@ -228,14 +243,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -276,6 +291,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authentication from a remote client.
+
+If you enable this policy setting, the WinRM service accepts CredSSP authentication from a remote client.
+
+If you disable or do not configure this policy setting, the WinRM service does not accept CredSSP authentication from a remote client.
> [!TIP]
@@ -285,14 +305,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -333,6 +353,24 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port.
+
+If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port.
+
+To allow WinRM service to receive requests over the network, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP).
+
+If you disable or do not configure this policy setting, the WinRM service will not respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured.
+
+The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges.
+
+You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.
+
+For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty.
+
+Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," (comma) as the delimiter.
+
+Example IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22
+Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562
> [!TIP]
@@ -342,14 +380,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow remote server management through WinRM*
- GP name: *AllowAutoConfig*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -390,6 +428,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network.
+
+If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network.
+
+If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
> [!TIP]
@@ -399,14 +442,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -447,6 +490,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.
+
+If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network.
+
+If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
> [!TIP]
@@ -456,14 +504,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -504,6 +552,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication.
+
+If you enable this policy setting, the WinRM client does not use Digest authentication.
+
+If you disable or do not configure this policy setting, the WinRM client uses Digest authentication.
> [!TIP]
@@ -513,14 +566,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Digest authentication*
- GP name: *DisallowDigest*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -561,6 +614,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Negotiate authentication.
+
+If you enable this policy setting, the WinRM client does not use Negotiate authentication.
+
+If you disable or do not configure this policy setting, the WinRM client uses Negotiate authentication.
> [!TIP]
@@ -570,14 +628,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -618,6 +676,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Negotiate authentication from a remote client.
+
+If you enable this policy setting, the WinRM service does not accept Negotiate authentication from a remote client.
+
+If you disable or do not configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client.
> [!TIP]
@@ -627,14 +690,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -675,6 +738,13 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins.
+
+If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer.
+
+If you disable or do not configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely.
+
+If you enable and then disable this policy setting,any values that were previously configured for RunAsPassword will need to be reset.
> [!TIP]
@@ -684,14 +754,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow WinRM from storing RunAs credentials*
- GP name: *DisableRunAs*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -732,6 +802,17 @@ ADMX Info:
+This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service with regard to channel binding tokens.
+
+If you enable this policy setting, the WinRM service uses the level specified in HardeningLevel to determine whether or not to accept a received request, based on a supplied channel binding token.
+
+If you disable or do not configure this policy setting, you can configure the hardening level locally on each computer.
+
+If HardeningLevel is set to Strict, any request not containing a valid channel binding token is rejected.
+
+If HardeningLevel is set to Relaxed (default value), any request containing an invalid channel binding token is rejected. However, a request that does not contain a channel binding token is accepted (though it is not protected from credential-forwarding attacks).
+
+If HardeningLevel is set to None, all requests are accepted (though they are not protected from credential-forwarding attacks).
> [!TIP]
@@ -741,14 +822,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify channel binding token hardening level*
- GP name: *CBTHardeningLevel_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -789,6 +870,11 @@ ADMX Info:
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity.
+
+If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the host.
+
+If you disable or do not configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer.
> [!TIP]
@@ -798,14 +884,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Trusted Hosts*
- GP name: *TrustedHosts*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -846,6 +932,15 @@ ADMX Info:
+This policy setting turns on or turns off an HTTP listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service.
+
+If you enable this policy setting, the HTTP listener always appears.
+
+If you disable or do not configure this policy setting, the HTTP listener never appears.
+
+When certain port 80 listeners are migrated to WinRM 2.0, the listener port number changes to 5985.
+
+A listener might be automatically created on port 80 to ensure backward compatibility.
> [!TIP]
@@ -855,14 +950,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn On Compatibility HTTP Listener*
- GP name: *HttpCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
@@ -903,6 +998,15 @@ ADMX Info:
+This policy setting turns on or turns off an HTTPS listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service.
+
+If you enable this policy setting, the HTTPS listener always appears.
+
+If you disable or do not configure this policy setting, the HTTPS listener never appears.
+
+When certain port 443 listeners are migrated to WinRM 2.0, the listener port number changes to 5986.
+
+A listener might be automatically created on port 443 to ensure backward compatibility.
> [!TIP]
@@ -912,14 +1016,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn On Compatibility HTTPS Listener*
- GP name: *HttpsCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index 16adbb0e97..41fb1d8539 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - RemoteProcedureCall
@@ -66,7 +66,7 @@ ms.date: 01/30/2018
-This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
+This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
@@ -84,14 +84,14 @@ Note: This policy will not be applied until the system is rebooted.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable RPC Endpoint Mapper Client Authentication*
- GP name: *RpcEnableAuthEpResolution*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
-
+
@@ -136,9 +136,9 @@ This policy setting controls how the RPC server runtime handles unauthenticated
This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.
-If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
+If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
-If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
+If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.
@@ -158,14 +158,14 @@ Note: This policy setting will not be applied until the system is rebooted.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Restrict Unauthenticated RPC clients*
- GP name: *RpcRestrictRemoteClients*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index 5f9c72ad15..20a0ac4151 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - RemoteShell
@@ -81,6 +81,11 @@ ms.date: 01/30/2018
+This policy setting configures access to remote shells.
+
+If you enable or do not configure this policy setting, new remote shell connections are accepted by the server.
+
+If you set this policy to ‘disabled’, new remote shell connections are rejected by the server.
> [!TIP]
@@ -90,14 +95,14 @@ ms.date: 01/30/2018
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow Remote Shell Access*
- GP name: *AllowRemoteShellAccess*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
@@ -138,6 +143,13 @@ ADMX Info:
+This policy setting configures the maximum number of users able to concurrently perform remote shell operations on the system.
+
+The value can be any number from 1 to 100.
+
+If you enable this policy setting, the new shell connections are rejected if they exceed the specified limit.
+
+If you disable or do not configure this policy setting, the default number is five users.
> [!TIP]
@@ -147,14 +159,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *MaxConcurrentUsers*
- GP name: *MaxConcurrentUsers*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
@@ -195,6 +207,13 @@ ADMX Info:
+This policy setting configures the maximum time in milliseconds remote shell will stay open without any user activity until it is automatically deleted.
+
+Any value from 0 to 0x7FFFFFFF can be set. A minimum of 60000 milliseconds (1 minute) is used for smaller values.
+
+If you enable this policy setting, the server will wait for the specified amount of time since the last received message from the client before terminating the open shell.
+
+If you do not configure or disable this policy setting, the default value of 900000 or 15 min will be used.
> [!TIP]
@@ -204,14 +223,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify idle Timeout*
- GP name: *IdleTimeout*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
@@ -252,6 +271,13 @@ ADMX Info:
+This policy setting configures the maximum total amount of memory in megabytes that can be allocated by any active remote shell and all its child processes.
+
+Any value from 0 to 0x7FFFFFFF can be set, where 0 equals unlimited memory, which means the ability of remote operations to allocate memory is only limited by the available virtual memory.
+
+If you enable this policy setting, the remote operation is terminated when a new allocation exceeds the specified quota.
+
+If you disable or do not configure this policy setting, the value 150 is used by default.
> [!TIP]
@@ -261,14 +287,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify maximum amount of memory in MB per Shell*
- GP name: *MaxMemoryPerShellMB*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
@@ -309,6 +335,11 @@ ADMX Info:
+This policy setting configures the maximum number of processes a remote shell is allowed to launch.
+
+If you enable this policy setting, you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero (0) means unlimited number of processes.
+
+If you disable or do not configure this policy setting, the limit is five processes per shell.
> [!TIP]
@@ -318,14 +349,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify maximum number of processes per Shell*
- GP name: *MaxProcessesPerShell*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
@@ -366,6 +397,13 @@ ADMX Info:
+This policy setting configures the maximum number of concurrent shells any user can remotely open on the same system.
+
+Any number from 0 to 0x7FFFFFFF cand be set, where 0 means unlimited number of shells.
+
+If you enable this policy setting, the user cannot open new remote shells if the count exceeds the specified limit.
+
+If you disable or do not configure this policy setting, by default the limit is set to two remote shells per user.
> [!TIP]
@@ -375,14 +413,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify maximum number of remote shells per user*
- GP name: *MaxShellsPerUser*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
@@ -423,6 +461,7 @@ ADMX Info:
+This policy setting is deprecated and has no effect when set to any state: Enabled, Disabled, or Not Configured.
> [!TIP]
@@ -432,14 +471,14 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify Shell Timeout*
- GP name: *ShellTimeOut*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 3081faa8a5..85b59673d8 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Search
@@ -107,6 +107,15 @@ ms.date: 01/30/2018
Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources.
+
+ADMX Info:
+- GP English name: *Allow Cloud Search*
+- GP name: *AllowCloudSearch*
+- GP element: *AllowCloudSearch_Dropdown*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -157,6 +166,14 @@ The following list shows the supported values:
Added in Windows 10, version 1803. This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. If this policy is left in its default state, Cortana will not be shown in the AAD OOBE flow. If you opt-in to this policy, then the Cortana consent page will appear in the AAD OOBE flow..
+
+ADMX Info:
+- GP English name: *Allow Cortana Page in OOBE on an AAD account*
+- GP name: *AllowCortanaInAAD*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -213,6 +230,14 @@ When the policy is disabled, the WIP protected items are not indexed and do not
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow indexing of encrypted files*
+- GP name: *AllowIndexingEncryptedStoresOrItems*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -265,6 +290,14 @@ Specifies whether search can leverage location information.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow search and Cortana to use location*
+- GP name: *AllowSearchToUseLocation*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -338,6 +371,14 @@ Allows the use of diacritics.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow use of diacritics*
+- GP name: *AllowUsingDiacritics*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -434,6 +475,14 @@ Specifies whether to always use automatic language detection when indexing conte
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Always use automatic language detection when indexing content and properties*
+- GP name: *AlwaysUseAutoLangDetection*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -484,6 +533,14 @@ The following list shows the supported values:
If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
+
+ADMX Info:
+- GP English name: *Disable indexer backoff*
+- GP name: *DisableBackoff*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -538,6 +595,14 @@ If you enable this policy setting, locations on removable drives cannot be added
If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.
+
+ADMX Info:
+- GP English name: *Do not allow locations on removable drives to be added to libraries*
+- GP name: *DisableRemovableDriveIndexing*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -593,6 +658,14 @@ If you enable this policy setting, queries won't be performed on the web and web
If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search.
+
+ADMX Info:
+- GP English name: *Don't search the web or display web results in Search*
+- GP name: *DoNotUseWebResults*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -647,6 +720,14 @@ Enable this policy if computers in your environment have extremely limited hard
When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.
+
+ADMX Info:
+- GP English name: *Stop indexing in the event of limited hard drive space*
+- GP name: *StopIndexingOnLimitedHardDriveSpace*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -697,6 +778,14 @@ The following list shows the supported values:
If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
+
+ADMX Info:
+- GP English name: *Prevent clients from querying the index remotely*
+- GP name: *PreventRemoteQueries*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index dd8bc02aab..9d95aab726 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Security
@@ -361,6 +361,14 @@ The following list shows the supported values:
Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
+
+ADMX Info:
+- GP English name: *Configure the system to clear the TPM if it is not in a ready state.*
+- GP name: *ClearTPMIfNotReady_Name*
+- GP path: *System/Trusted Platform Module Services*
+- GP ADMX file name: *TPM.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index bd6a64ba12..5031440194 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Settings
@@ -370,6 +370,15 @@ Enables or disables the retrieval of online tips and help for the Settings app.
If disabled, Settings will not contact Microsoft content services to retrieve tips and help content.
+
+ADMX Info:
+- GP English name: *Allow Online Tips*
+- GP name: *AllowOnlineTips*
+- GP element: *CheckBox_AllowOnlineTips*
+- GP path: *Control Panel*
+- GP ADMX file name: *ControlPanel.admx*
+
+
@@ -729,6 +738,14 @@ The following list shows the supported values:
Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
+
+ADMX Info:
+- GP English name: *Show additional calendar*
+- GP name: *ConfigureTaskbarCalendar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
The following list shows the supported values:
@@ -805,6 +822,15 @@ Example 2, specifies that the wifi page should not be shown:
hide:wifi
+
+ADMX Info:
+- GP English name: *Settings Page Visibility*
+- GP name: *SettingsPageVisibility*
+- GP element: *SettingsPageVisibilityBox*
+- GP path: *Control Panel*
+- GP ADMX file name: *ControlPanel.admx*
+
+
To validate on Desktop, do the following:
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index f52bfb67a6..be4301165b 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - SmartScreen
@@ -72,6 +72,14 @@ ms.date: 01/30/2018
Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
+
+ADMX Info:
+- GP English name: *Configure App Install Control*
+- GP name: *ConfigureAppInstallControl*
+- GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
+- GP ADMX file name: *SmartScreen.admx*
+
+
The following list shows the supported values:
@@ -122,6 +130,14 @@ The following list shows the supported values:
Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
+
+ADMX Info:
+- GP English name: *Configure Windows Defender SmartScreen*
+- GP name: *ShellConfigureSmartScreen*
+- GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
+- GP ADMX file name: *SmartScreen.admx*
+
+
The following list shows the supported values:
@@ -172,6 +188,15 @@ The following list shows the supported values:
Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
+
+ADMX Info:
+- GP English name: *Configure Windows Defender SmartScreen*
+- GP name: *ShellConfigureSmartScreen*
+- GP element: *ShellConfigureSmartScreen_Dropdown*
+- GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
+- GP ADMX file name: *SmartScreen.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index e5c27c3200..9a691d7670 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Speech
@@ -66,6 +66,14 @@ ms.date: 01/30/2018
Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
+
+ADMX Info:
+- GP English name: *Allow Automatic Update of Speech Data*
+- GP name: *AllowSpeechModelUpdate*
+- GP path: *Windows Components/Speech*
+- GP ADMX file name: *Speech.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index e8122802b3..50809d5486 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Start
@@ -1025,6 +1025,14 @@ Added in Windows 10, version 1709. Enabling this policy removes the people icon
Value type is integer.
+
+ADMX Info:
+- GP English name: *Remove the People Bar from the taskbar*
+- GP name: *HidePeopleBar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
@@ -1198,6 +1206,14 @@ To validate on Desktop, do the following:
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps.
+
+ADMX Info:
+- GP English name: *Remove "Recently added" list from Start Menu*
+- GP name: *HideRecentlyAddedApps*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
The following list shows the supported values:
@@ -1731,6 +1747,14 @@ Allows you to override the default Start layout and prevents the user from chang
For further details on how to customize the Start layout, please see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar).
+
+ADMX Info:
+- GP English name: *Start Layout*
+- GP name: *LockedStartLayout*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index dbcdfe8bd5..536aac2ce2 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Storage
@@ -73,6 +73,14 @@ Added in Windows 10, version 1709. Allows disk health model updates.
Value type is integer.
+
+ADMX Info:
+- GP English name: *Allow downloading updates to the Disk Failure Prediction Model*
+- GP name: *SH_AllowDiskHealthModelUpdates*
+- GP path: *System/Storage Health*
+- GP ADMX file name: *StorageHealth.admx*
+
+
The following list shows the supported values:
@@ -134,14 +142,14 @@ If you disable or do not configure this policy setting, Windows will activate un
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow Windows to activate Enhanced Storage devices*
- GP name: *TCGSecurityActivationDisabled*
- GP path: *System/Enhanced Storage Access*
- GP ADMX file name: *enhancedstorage.admx*
-
+
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index c0cc5dd7cf..d943b9d855 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - System
@@ -116,6 +116,14 @@ This policy setting determines whether users can access the Insider build contro
If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
+
+ADMX Info:
+- GP English name: *Toggle user control over Insider builds*
+- GP name: *AllowBuildPreview*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *AllowBuildPreview.admx*
+
+
The following list shows the supported values:
@@ -283,6 +291,14 @@ This setting is used by lower-level components for text display and fond handlin
> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
+
+ADMX Info:
+- GP English name: *Enable Font Providers*
+- GP name: *EnableFontProviders*
+- GP path: *Network/Fonts*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
The following list shows the supported values:
@@ -348,6 +364,14 @@ When switching the policy back from 0 (Force Location Off) or 2 (Force Location
For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
+
+ADMX Info:
+- GP English name: *Turn off location*
+- GP name: *DisableLocation_2*
+- GP path: *Windows Components/Location and Sensors*
+- GP ADMX file name: *Sensors.admx*
+
+
The following list shows the supported values:
@@ -527,6 +551,15 @@ Windows 10 Values:
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Telemetry*
+- GP name: *AllowTelemetry*
+- GP element: *AllowTelemetry*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
@@ -620,7 +653,17 @@ orted values:
-N/A
+This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:
+- Good: The driver has been signed and has not been tampered with.
+- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
+- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
+- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.
+
+If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started.
+
+If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
+
+If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.
> [!TIP]
@@ -630,12 +673,14 @@ N/A
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
+- GP English name: *Boot-Start Driver Initialization Policy*
- GP name: *POL_DriverLoadPolicy_Name*
+- GP path: *System/Early Launch Antimalware*
- GP ADMX file name: *earlylauncham.admx*
-
+
@@ -679,6 +724,15 @@ ADMX Info:
This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
+
+ADMX Info:
+- GP English name: *Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service*
+- GP name: *DisableEnterpriseAuthProxy*
+- GP element: *DisableEnterpriseAuthProxy*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
@@ -730,6 +784,14 @@ Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features
If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+
+ADMX Info:
+- GP English name: *Prevent the usage of OneDrive for file storage*
+- GP name: *PreventOnedriveFileSync*
+- GP path: *Windows Components/OneDrive*
+- GP ADMX file name: *SkyDrive.admx*
+
+
The following list shows the supported values:
@@ -805,14 +867,14 @@ Also, see the "Turn off System Restore configuration" policy setting. If the "Tu
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off System Restore*
- GP name: *SR_DisableSR*
- GP path: *System/System Restore*
- GP ADMX file name: *systemrestore.admx*
-
+
@@ -919,6 +981,15 @@ Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combina
If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
+
+ADMX Info:
+- GP English name: *Limit Enhanced diagnostic data to the minimum required by Windows Analytics*
+- GP name: *LimitEnhancedDiagnosticDataWindowsAnalytics*
+- GP element: *LimitEnhancedDiagnosticDataWindowsAnalytics*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
@@ -964,6 +1035,15 @@ Allows you to specify the fully qualified domain name (FQDN) or IP address of a
If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
+
+ADMX Info:
+- GP English name: *Configure Connected User Experiences and Telemetry*
+- GP name: *TelemetryProxy*
+- GP element: *TelemetryProxyName*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 97ddbf6bd4..ffdb12f42a 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - SystemServices
@@ -83,6 +83,12 @@ ms.date: 01/30/2018
Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+GP Info:
+- GP English name: *HomeGroup Listener*
+- GP path: *Windows Settings/Security Settings/System Services*
+
+
@@ -126,6 +132,12 @@ Added in Windows 10, version 1803. This setting determines whether the service's
Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+GP Info:
+- GP English name: *HomeGroup Provider*
+- GP path: *Windows Settings/Security Settings/System Services*
+
+
@@ -169,6 +181,12 @@ Added in Windows 10, version 1803. This setting determines whether the service's
Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+GP Info:
+- GP English name: *Xbox Accessory Management Service*
+- GP path: *Windows Settings/Security Settings/System Services*
+
+
@@ -212,6 +230,12 @@ Added in Windows 10, version 1803. This setting determines whether the service's
Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+GP Info:
+- GP English name: *Xbox Live Auth Manager*
+- GP path: *Windows Settings/Security Settings/System Services*
+
+
@@ -255,6 +279,12 @@ Added in Windows 10, version 1803. This setting determines whether the service's
Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+GP Info:
+- GP English name: *Xbox Live Game Save*
+- GP path: *Windows Settings/Security Settings/System Services*
+
+
@@ -298,6 +328,12 @@ Added in Windows 10, version 1803. This setting determines whether the service's
Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+GP Info:
+- GP English name: *Xbox Live Networking Service*
+- GP path: *Windows Settings/Security Settings/System Services*
+
+
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index c301cc1884..b5cb108686 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 02/26/2018
+ms.date: 03/05/2018
---
# Policy CSP - TextInput
@@ -657,6 +657,14 @@ Allows the uninstall of language features, such as spell checkers, on a device.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Uninstallation of Language Features*
+- GP name: *AllowLanguageFeaturesUninstall*
+- GP path: *Windows Components/Text Input*
+- GP ADMX file name: *TextInput.admx*
+
+
The following list shows the supported values:
@@ -1291,8 +1299,8 @@ The following list shows the supported values:
-
+
Footnote:
- 1 - Added in Windows 10, version 1607.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index d8a6cbbf3c..7a92fffc6a 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Update
@@ -216,6 +216,15 @@ Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
The default is 17 (5 PM).
+
+ADMX Info:
+- GP English name: *Turn off auto-restart for updates during active hours*
+- GP name: *ActiveHours*
+- GP element: *ActiveHoursEndTime*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -263,6 +272,15 @@ Supported values are 8-18.
The default value is 18 (hours).
+
+ADMX Info:
+- GP English name: *Specify active hours range for auto-restarts*
+- GP name: *ActiveHoursMaxRange*
+- GP element: *ActiveHoursMaxRange*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -313,6 +331,15 @@ Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
The default value is 8 (8 AM).
+
+ADMX Info:
+- GP English name: *Turn off auto-restart for updates during active hours*
+- GP name: *ActiveHours*
+- GP element: *ActiveHoursStartTime*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -365,6 +392,15 @@ Supported operations are Get and Replace.
If the policy is not configured, end-users get the default behavior (Auto install and restart).
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateMode*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -423,6 +459,14 @@ A significant number of devices primarily use cellular data and do not have Wi-F
This policy is accessible through the Update setting in the user interface or Group Policy.
+
+ADMX Info:
+- GP English name: *Allow updates to be downloaded automatically over metered connections*
+- GP name: *AllowAutoWindowsUpdateDownloadOverMeteredNetwork*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -473,6 +517,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AllowMUUpdateServiceId*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -584,6 +637,14 @@ Enabling this policy will disable that functionality, and may cause connection t
> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
+
+ADMX Info:
+- GP English name: *Specify intranet Microsoft update service location*
+- GP name: *CorpWuURL*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -638,6 +699,15 @@ Supported values are 2-30 days.
The default value is 7 days.
+
+ADMX Info:
+- GP English name: *Specify deadline before auto-restart for update installation*
+- GP name: *AutoRestartDeadline*
+- GP element: *AutoRestartDeadline*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -683,6 +753,15 @@ Added in Windows 10, version 1703. Allows the IT Admin to specify the period fo
The default value is 15 (minutes).
+
+ADMX Info:
+- GP English name: *Configure auto-restart reminder notifications for updates*
+- GP name: *AutoRestartNotificationConfig*
+- GP element: *AutoRestartNotificationSchd*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
Supported values are 15, 30, 60, 120, and 240 (minutes).
@@ -730,6 +809,15 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
+
+ADMX Info:
+- GP English name: *Configure auto-restart required notification for updates*
+- GP name: *AutoRestartRequiredNotificationDismissal*
+- GP element: *AutoRestartRequiredNotificationDismissal*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -780,6 +868,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
+
+ADMX Info:
+- GP English name: *Select when Preview Builds and Feature Updates are received*
+- GP name: *DeferFeatureUpdates*
+- GP element: *BranchReadinessLevelId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -874,6 +971,15 @@ Supported values are 0-365 days.
> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
+
+ADMX Info:
+- GP English name: *Select when Preview Builds and Feature Updates are received*
+- GP name: *DeferFeatureUpdates*
+- GP element: *DeferFeatureUpdatesPeriodId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -919,6 +1025,15 @@ Added in Windows 10, version 1607. Defers Quality Updates for the specified num
Supported values are 0-30.
+
+ADMX Info:
+- GP English name: *Select when Quality Updates are received*
+- GP name: *DeferQualityUpdates*
+- GP element: *DeferQualityUpdatesPeriodId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1055,6 +1170,13 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-->
+
+ADMX Info:
+- GP name: *DeferUpgrade*
+- GP element: *DeferUpdatePeriodId*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1110,6 +1232,13 @@ If the "Specify intranet Microsoft update service location" policy is enabled, t
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+ADMX Info:
+- GP name: *DeferUpgrade*
+- GP element: *DeferUpgradePeriodId*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1153,6 +1282,15 @@ If the "Allow Telemetry" policy is enabled and the Options value is set to 0, th
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
+
+ADMX Info:
+- GP English name: *Automatic Updates detection frequency*
+- GP name: *DetectionFrequency_Title*
+- GP element: *DetectionFrequency_Hour2*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1202,6 +1340,14 @@ This is the same as the Group Policy in Windows Components > Window Update "Do n
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+ADMX Info:
+- GP English name: *Do not allow update deferral policies to cause scans against Windows Update*
+- GP name: *DisableDualScan*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1256,6 +1402,15 @@ Supported values are 2-30 days.
The default value is 0 days (not specified).
+
+ADMX Info:
+- GP English name: *Specify Engaged restart transition and notification schedule for updates*
+- GP name: *EngagedRestartTransitionSchedule*
+- GP element: *EngagedRestartDeadline*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1303,6 +1458,15 @@ Supported values are 1-3 days.
The default value is 3 days.
+
+ADMX Info:
+- GP English name: *Specify Engaged restart transition and notification schedule for updates*
+- GP name: *EngagedRestartTransitionSchedule*
+- GP element: *EngagedRestartSnoozeSchedule*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1350,6 +1514,15 @@ Supported values are 2-30 days.
The default value is 7 days.
+
+ADMX Info:
+- GP English name: *Specify Engaged restart transition and notification schedule for updates*
+- GP name: *EngagedRestartTransitionSchedule*
+- GP element: *EngagedRestartTransitionSchedule*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1396,6 +1569,14 @@ The default value is 7 days.
Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
+
+ADMX Info:
+- GP English name: *Do not include drivers with Windows Updates*
+- GP name: *ExcludeWUDriversInQualityUpdate*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1449,6 +1630,15 @@ Added in the April service release of Windows 10, version 1607. Allows Windows U
> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server.
+
+ADMX Info:
+- GP English name: *Specify intranet Microsoft update service location*
+- GP name: *CorpWuURL*
+- GP element: *CorpWUFillEmptyContentUrls*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1629,6 +1819,15 @@ To validate this policy:
Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer.
+
+ADMX Info:
+- GP English name: *Manage preview builds*
+- GP name: *ManagePreviewBuilds*
+- GP element: *ManagePreviewBuildsId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1689,6 +1888,13 @@ If the "Specify intranet Microsoft update service location" policy is enabled, t
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+ADMX Info:
+- GP name: *DeferUpgrade*
+- GP element: *PauseDeferralsId*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1742,6 +1948,15 @@ Since this policy is not blocked, you will not get a failure message when you us
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
+
+ADMX Info:
+- GP English name: *Select when Preview Builds and Feature Updates are received*
+- GP name: *DeferFeatureUpdates*
+- GP element: *PauseFeatureUpdatesId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1794,6 +2009,15 @@ Added in Windows 10, version 1703. Specifies the date and time when the IT admi
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+
+ADMX Info:
+- GP English name: *Select when Preview Builds and Feature Updates are received*
+- GP name: *DeferFeatureUpdates*
+- GP element: *PauseFeatureUpdatesStartId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1837,6 +2061,15 @@ Value type is string. Supported operations are Add, Get, Delete, and Replace.
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
+
+ADMX Info:
+- GP English name: *Select when Quality Updates are received*
+- GP name: *DeferQualityUpdates*
+- GP element: *PauseQualityUpdatesId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -1889,6 +2122,15 @@ Added in Windows 10, version 1703. Specifies the date and time when the IT admi
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+
+ADMX Info:
+- GP English name: *Select when Quality Updates are received*
+- GP name: *DeferQualityUpdates*
+- GP element: *PauseQualityUpdatesStartId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -1947,6 +2189,13 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd
Allows the IT admin to set a device to Semi-Annual Channel train.
+
+ADMX Info:
+- GP name: *DeferUpgrade*
+- GP element: *DeferUpgradePeriodId*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -2055,6 +2304,15 @@ Added in Windows 10, version 1703. Allows the IT Admin to specify the period fo
The default value is 15 (minutes).
+
+ADMX Info:
+- GP English name: *Configure auto-restart warning notifications schedule for updates*
+- GP name: *RestartWarnRemind*
+- GP element: *RestartWarn*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
Supported values are 15, 30, or 60 (minutes).
@@ -2108,6 +2366,15 @@ Added in Windows 10, version 1703. Allows the IT Admin to specify the period fo
The default value is 4 (hours).
+
+ADMX Info:
+- GP English name: *Configure auto-restart warning notifications schedule for updates*
+- GP name: *RestartWarnRemind*
+- GP element: *RestartWarnRemind*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
Supported values are 2, 4, 8, 12, or 24 (hours).
@@ -2159,6 +2426,15 @@ The data type is a integer.
Supported operations are Add, Delete, Get, and Replace.
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateSchDay*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -2219,6 +2495,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateSchEveryWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -2266,6 +2551,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateSchFirstWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -2313,6 +2607,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *ScheduledInstallFourthWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -2360,6 +2663,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *ScheduledInstallSecondWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -2407,6 +2719,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *ScheduledInstallThirdWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -2462,6 +2783,15 @@ Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
The default value is 3.
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateSchTime*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
@@ -2505,6 +2835,15 @@ The default value is 3.
Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
+
+ADMX Info:
+- GP English name: *Turn off auto-restart notifications for update installations*
+- GP name: *AutoRestartNotificationDisable*
+- GP element: *AutoRestartNotificationSchd*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -2555,6 +2894,14 @@ The following list shows the supported values:
Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime.
+
+ADMX Info:
+- GP English name: *Update Power Policy for Cart Restarts*
+- GP name: *SetEDURestart*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -2610,6 +2957,15 @@ Allows the device to check for updates from a WSUS server instead of Microsoft U
Supported operations are Get and Replace.
+
+ADMX Info:
+- GP English name: *Specify intranet Microsoft update service location*
+- GP name: *CorpWuURL*
+- GP element: *CorpWUURL_Name*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -2691,6 +3047,15 @@ Value type is string and the default value is an empty string, "". If the settin
> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
+
+ADMX Info:
+- GP English name: *Specify intranet Microsoft update service location*
+- GP name: *CorpWuURL*
+- GP element: *CorpWUContentHost_Name*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index b091456af0..6e52bc893b 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - UserRights
@@ -152,6 +152,12 @@ ms.date: 01/30/2018
This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.
+
+GP Info:
+- GP English name: *Access Credential Manager ase a trusted caller*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -195,6 +201,12 @@ This user right is used by Credential Manager during Backup/Restore. No accounts
This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+GP Info:
+- GP English name: *Access this computer from the network*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -238,6 +250,12 @@ This user right determines which users and groups are allowed to connect to the
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+GP Info:
+- GP English name: *Act as part of the operating system*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -281,6 +299,12 @@ This user right allows a process to impersonate any user without authentication.
This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
+
+GP Info:
+- GP English name: *Allow log on locally*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -324,6 +348,12 @@ This user right determines which users can log on to the computer. Note: Modifyi
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users
+
+GP Info:
+- GP English name: *Back up files and directories*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -367,6 +397,12 @@ This user right determines which users can bypass file, directory, registry, and
This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
+
+GP Info:
+- GP English name: *Change the system time*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -410,6 +446,12 @@ This user right determines which users and groups can change the time and date o
This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users.
+
+GP Info:
+- GP English name: *Create global objects*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -453,6 +495,12 @@ This security setting determines whether users can create global objects that ar
This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users
+
+GP Info:
+- GP English name: *Create a pagefile*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -496,6 +544,12 @@ This user right determines which users and groups can call an internal applicati
This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.
+
+GP Info:
+- GP English name: *Create permanent shared objects*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -539,6 +593,12 @@ This user right determines which accounts can be used by processes to create a d
This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
+
+GP Info:
+- GP English name: *Create symbolic links*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -582,6 +642,12 @@ This user right determines if the user can create a symbolic link from the compu
This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+GP Info:
+- GP English name: *Create a token object*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -625,6 +691,12 @@ This user right determines which accounts can be used by processes to create a t
This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+GP Info:
+- GP English name: *Debug programs*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -668,6 +740,12 @@ This user right determines which users can attach a debugger to any process or t
This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
+
+GP Info:
+- GP English name: *Deny access to this computer from the network*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -711,6 +789,12 @@ This user right determines which users are prevented from accessing a computer o
This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
+
+GP Info:
+- GP English name: *Deny log on as a service*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -754,6 +838,12 @@ This security setting determines which service accounts are prevented from regis
This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
+
+GP Info:
+- GP English name: *Deny log on through Remote Desktop Services*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -797,6 +887,12 @@ This user right determines which users and groups are prohibited from logging on
This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
+
+GP Info:
+- GP English name: *Enable computer and user accounts to be trusted for delegation*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -840,6 +936,12 @@ This user right determines which users can set the Trusted for Delegation settin
This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.
+
+GP Info:
+- GP English name: *Generate security audits*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -887,6 +989,12 @@ Assigning this user right to a user allows programs running on behalf of that us
Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
+
+GP Info:
+- GP English name: *Impersonate a client after authentication*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -930,6 +1038,12 @@ Because of these factors, users do not usually need this user right. Warning: If
This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
+
+GP Info:
+- GP English name: *Increase scheduling priority*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -973,6 +1087,12 @@ This user right determines which accounts can use a process with Write Property
This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+GP Info:
+- GP English name: *Load and unload device drivers*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1016,6 +1136,12 @@ This user right determines which users can dynamically load and unload device dr
This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
+
+GP Info:
+- GP English name: *Lock pages in memory*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1059,6 +1185,12 @@ This user right determines which accounts can use a process to keep data in phys
This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
+
+GP Info:
+- GP English name: *Manage auditing and security log*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1102,6 +1234,12 @@ This user right determines which users can specify object access auditing option
This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
+
+GP Info:
+- GP English name: *Perform volume maintenance tasks*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1145,6 +1283,12 @@ This user right determines which users and groups can run maintenance tasks on a
This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
+
+GP Info:
+- GP English name: *Modify firmware environment values*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1188,6 +1332,12 @@ This user right determines who can modify firmware environment values. Firmware
This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
+
+GP Info:
+- GP English name: *Modify an object label*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1231,6 +1381,12 @@ This user right determines which user accounts can modify the integrity label of
This user right determines which users can use performance monitoring tools to monitor the performance of system processes.
+
+GP Info:
+- GP English name: *Profile single process*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1274,6 +1430,12 @@ This user right determines which users can use performance monitoring tools to m
This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
+
+GP Info:
+- GP English name: *Force shutdown from a remote system*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1317,6 +1479,12 @@ This user right determines which users are allowed to shut down a computer from
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
+
+GP Info:
+- GP English name: *Restore files and directories*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
@@ -1360,6 +1528,12 @@ This user right determines which users can bypass file, directory, registry, and
This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
+
+GP Info:
+- GP English name: *Take ownership of files or other objects*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+
+
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 8fa7a54082..f4e3dbae88 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - Wifi
@@ -97,6 +97,14 @@ Allow or disallow the device to automatically connect to Wi-Fi hotspots.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services*
+- GP name: *WiFiSense*
+- GP path: *Network/WLAN Service/WLAN Settings*
+- GP ADMX file name: *wlansvc.admx*
+
+
The following list shows the supported values:
@@ -149,6 +157,14 @@ Allow or disallow internet sharing.
Most restricted value is 0.
+
+ADMX Info:
+- GP English name: *Prohibit use of Internet Connection Sharing on your DNS domain network*
+- GP name: *NC_ShowSharedAccessUI*
+- GP path: *Network/Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index 56be2210b2..8329d11f77 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - WindowsDefenderSecurityCenter
@@ -124,6 +124,15 @@ Added in Windows 10, version 1709. The company name that is displayed to the use
Value type is string. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Specify contact company name*
+- GP name: *EnterpriseCustomization_CompanyName*
+- GP element: *Presentation_EnterpriseCustomization_CompanyName*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
@@ -167,6 +176,14 @@ Value type is string. Supported operations are Add, Get, Replace and Delete.
Added in Windows 10, next major release. Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+ADMX Info:
+- GP English name: *Hide the Account protection area*
+- GP name: *AccountProtection_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Account protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
Valid values:
@@ -219,6 +236,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide the App and browser protection area*
+- GP name: *AppBrowserProtection_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/App and browser protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -269,6 +294,14 @@ The following list shows the supported values:
Added in Windows 10, next major release. Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+ADMX Info:
+- GP English name: *Hide the Device security area*
+- GP name: *DeviceSecurity_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Device security*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
Valid values:
@@ -324,6 +357,14 @@ Added in Windows 10, version 1709. Use this policy if you want Windows Defender
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide non-critical notifications*
+- GP name: *Notifications_DisableEnhancedNotifications*
+- GP path: *Windows Components/Windows Defender Security Center/Notifications*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -376,6 +417,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide the Family options area*
+- GP name: *FamilyOptions_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Family options*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -428,6 +477,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide the Device performance and health area*
+- GP name: *DevicePerformanceHealth_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Device performance and health*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -480,6 +537,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide the Firewall and network protection area*
+- GP name: *FirewallNetworkProtection_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Firewall and network protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -532,6 +597,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide all notifications*
+- GP name: *Notifications_DisableNotifications*
+- GP path: *Windows Components/Windows Defender Security Center/Notifications*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -584,6 +657,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Hide the Virus and threat protection area*
+- GP name: *VirusThreatProtection_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -636,6 +717,14 @@ Added in Windows 10, version 1709. Prevent users from making changes to the expl
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Prevent users from modifying settings*
+- GP name: *AppBrowserProtection_DisallowExploitProtectionOverride*
+- GP path: *Windows Components/Windows Defender Security Center/App and browser protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -688,6 +777,15 @@ Added in Windows 10, version 1709. The email address that is displayed to users.
Value type is string. Supported operations are Add, Get, Replace and Delete.
+
+ADMX Info:
+- GP English name: *Specify contact email address or Email ID*
+- GP name: *EnterpriseCustomization_Email*
+- GP element: *Presentation_EnterpriseCustomization_Email*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
@@ -733,6 +831,14 @@ Added in Windows 10, version 1709. Enable this policy to display your company na
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+ADMX Info:
+- GP English name: *Configure customized notifications*
+- GP name: *EnterpriseCustomization_EnableCustomizedToasts*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -785,6 +891,14 @@ Added in Windows 10, version 1709. Enable this policy to have your company name
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+ADMX Info:
+- GP English name: *Configure customized contact information*
+- GP name: *EnterpriseCustomization_EnableInAppCustomization*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -835,6 +949,14 @@ The following list shows the supported values:
Added in Windows 10, version 1803. Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center.
+
+ADMX Info:
+- GP English name: *Hide the Ransomware data recovery area*
+- GP name: *VirusThreatProtection_HideRansomwareRecovery*
+- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
Valid values:
@@ -885,6 +1007,14 @@ Valid values:
Added in Windows 10, version 1803. Use this policy to hide the Secure boot area in the Windows Defender Security Center.
+
+ADMX Info:
+- GP English name: *Hide the Secure boot area*
+- GP name: *DeviceSecurity_HideSecureBoot*
+- GP path: *Windows Components/Windows Defender Security Center/Device security*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
Valid values:
@@ -935,6 +1065,14 @@ Valid values:
Added in Windows 10, version 1803. Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center.
+
+ADMX Info:
+- GP English name: *Hide the Security processor (TPM) troubleshooter page*
+- GP name: *DeviceSecurity_HideTPMTroubleshooting*
+- GP path: *Windows Components/Windows Defender Security Center/Device security*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
Valid values:
@@ -987,6 +1125,15 @@ Added in Windows 10, version 1709. The phone number or Skype ID that is displaye
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+ADMX Info:
+- GP English name: *Specify contact phone number or Skype ID*
+- GP name: *EnterpriseCustomization_Phone*
+- GP element: *Presentation_EnterpriseCustomization_Phone*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
@@ -1032,6 +1179,15 @@ Added in Windows 10, version 1709. The help portal URL this is displayed to user
Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+ADMX Info:
+- GP English name: *Specify contact website*
+- GP name: *EnterpriseCustomization_URL*
+- GP element: *Presentation_EnterpriseCustomization_URL*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index 0b0a6104d4..3549c95e06 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - WindowsInkWorkspace
@@ -69,6 +69,14 @@ ms.date: 01/30/2018
Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
+
+ADMX Info:
+- GP English name: *Allow suggested apps in Windows Ink Workspace*
+- GP name: *AllowSuggestedAppsInWindowsInkWorkspace*
+- GP path: *Windows Components/Windows Ink Workspace*
+- GP ADMX file name: *WindowsInkWorkspace.admx*
+
+
The following list shows the supported values:
@@ -119,6 +127,15 @@ The following list shows the supported values:
Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
+
+ADMX Info:
+- GP English name: *Allow Windows Ink Workspace*
+- GP name: *AllowWindowsInkWorkspace*
+- GP element: *AllowWindowsInkWorkspaceDropdown*
+- GP path: *Windows Components/Windows Ink Workspace*
+- GP ADMX file name: *WindowsInkWorkspace.admx*
+
+
Value type is int. The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 513b783cee..cc10b25f2c 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - WindowsLogon
@@ -83,14 +83,14 @@ If you disable or do not configure this policy setting, users can choose which a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off app notifications on the lock screen*
- GP name: *DisableLockScreenAppNotifications*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
-
+
@@ -145,14 +145,14 @@ If you disable or don't configure this policy setting, any user can disconnect t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not display network selection UI*
- GP name: *DontDisplayNetworkSelectionUI*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
-
+
@@ -196,6 +196,14 @@ ADMX Info:
Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
+
+ADMX Info:
+- GP English name: *Hide entry points for Fast User Switching*
+- GP name: *HideFastUserSwitching*
+- GP path: *System/Logon*
+- GP ADMX file name: *Logon.admx*
+
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index 5830a05aa4..9e122a3f3f 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 03/05/2018
---
# Policy CSP - WirelessDisplay
@@ -291,6 +291,14 @@ If you set it to 0 (zero), your PC is not discoverable and you cannot project to
Value type is integer.
+
+ADMX Info:
+- GP English name: *Don't allow this PC to be projected to*
+- GP name: *AllowProjectionToPC*
+- GP path: *Windows Components/Connect*
+- GP ADMX file name: *WirelessDisplay.admx*
+
+
The following list shows the supported values:
@@ -422,6 +430,14 @@ If you turn this on, the pairing ceremony for new devices will always require a
Value type is integer.
+
+ADMX Info:
+- GP English name: *Require pin for pairing*
+- GP name: *RequirePinForPairing*
+- GP path: *Windows Components/Connect*
+- GP ADMX file name: *WirelessDisplay.admx*
+
+
The following list shows the supported values: