--- title: Policy DDF file description: Policy DDF file ms.assetid: D90791B5-A772-4AF8-B058-5D566865AF8D ms.reviewer: manager: dansimp ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman ms.date: 05/21/2019 --- # Policy DDF file This topic shows the OMA DM device description framework (DDF) for the **Policy** configuration service provider. DDF files are used only with OMA DM provisioning XML. You can view various Policy DDF files by clicking the following links: - [View the Policy DDF file for Windows 10, version 1903](http://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) - [View the Policy DDF file for Windows 10, version 1809](http://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) - [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) - [View the Policy DDF file for Windows 10, version 1803 release C](http://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml) - [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) - [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) - [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) - [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). The XML below is the DDF for Windows 10, version 1903. ```xml ]> 1.2 Policy ./User/Vendor/MSFT com.microsoft/9.0/MDM/Policy Config ApplicationManagement MSIAlwaysInstallWithElevatedPrivileges text/plain RequirePrivateStoreOnly text/plain AttachmentManager DoNotPreserveZoneInformation text/plain HideZoneInfoMechanism text/plain NotifyAntivirusPrograms text/plain Authentication AllowEAPCertSSO text/plain Autoplay DisallowAutoplayForNonVolumeDevices text/plain SetDefaultAutoRunBehavior text/plain TurnOffAutoPlay text/plain Browser AllowAddressBarDropdown This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. text/plain AllowAutofill This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. text/plain AllowBrowser text/plain AllowConfigurationUpdateForBooksLibrary This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. text/plain AllowCookies This setting lets you configure how your company deals with cookies. text/plain AllowDeveloperTools This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. text/plain AllowDoNotTrack This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. text/plain AllowExtensions This setting lets you decide whether employees can load extensions in Microsoft Edge. text/plain AllowFlash This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. text/plain AllowFlashClickToRun Configure the Adobe Flash Click-to-Run setting. text/plain AllowFullScreenMode With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. If disabled, full-screen mode is unavailable for use in Microsoft Edge. text/plain AllowInPrivate This setting lets you decide whether employees can browse using InPrivate website browsing. text/plain AllowMicrosoftCompatibilityList This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. text/plain AllowPasswordManager This setting lets you decide whether employees can save their passwords locally, using Password Manager. text/plain AllowPopups This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. text/plain AllowPrelaunch Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. text/plain AllowPrinting With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. If enabled, printing is allowed. If disabled, printing is not allowed. text/plain AllowSavingHistory Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. If enabled or not configured, the browsing history is saved and visible in the History pane. If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. text/plain AllowSearchEngineCustomization Allow search engine customization for MDM enrolled devices. Users can change their default search engine. If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). text/plain AllowSearchSuggestionsinAddressBar This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. text/plain AllowSideloadingOfExtensions This setting lets you decide whether employees can sideload extensions in Microsoft Edge. text/plain AllowSmartScreen This setting lets you decide whether to turn on Windows Defender SmartScreen. text/plain AllowTabPreloading Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. text/plain AllowWebContentOnNewTabPage This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. If you don't configure this setting, employees can choose how new tabs appears. text/plain AlwaysEnableBooksLibrary Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. text/plain ClearBrowsingDataOnExit Specifies whether to always clear browsing history on exiting Microsoft Edge. text/plain ConfigureAdditionalSearchEngines Allows you to add up to 5 additional search engines for MDM-enrolled devices. If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain ConfigureFavoritesBar The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. text/plain ConfigureHomeButton The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. By default, this policy is disabled or not configured and clicking the home button loads the default Start page. When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. If Enabled AND: - Show home button & set to Start page is selected, clicking the home button loads the Start page. - Show home button & set to New tab page is selected, clicking the home button loads a New tab page. - Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. - Hide home button is selected, the home button is hidden in Microsoft Edge. Default setting: Disabled or not configured Related policies: - Set Home Button URL - Unlock Home Button text/plain ConfigureKioskMode Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). If enabled and set to 0 (Default or not configured): - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it’s one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. text/plain ConfigureKioskResetAfterIdleTimeout You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. If you set this policy to 0, Microsoft Edge does not use an idle timer. If disabled or not configured, the default value is 5 minutes. If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. text/plain ConfigureOpenMicrosoftEdgeWith You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. If enabled, you can choose one of the following options: - Start page: the Start page loads ignoring the Configure Start Pages policy. - New tab page: the New tab page loads ignoring the Configure Start Pages policy. - Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. - A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. Default setting: A specific page or pages (default) Related policies: -Disable Lockdown of Start Pages -Configure Start Pages text/plain ConfigureTelemetryForMicrosoft365Analytics Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. text/plain DisableLockdownOfStartPages You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Start Pages - Configure Open Microsoft Edge With text/plain EnableExtendedBooksTelemetry This setting allows organizations to send extended telemetry on book usage from the Books Library. text/plain EnterpriseModeSiteList This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. text/plain EnterpriseSiteListServiceUrl text/plain FirstRunURL Configure first run URL. text/plain HomePages When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: <support.contoso.com><support.microsoft.com> If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages text/plain LockdownFavorites This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. text/plain PreventAccessToAboutFlagsInMicrosoftEdge Prevent access to the about:flags page in Microsoft Edge. text/plain PreventCertErrorOverrides Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. If enabled, overriding certificate errors are not allowed. If disabled or not configured, overriding certificate errors are allowed. text/plain PreventFirstRunPage Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain PreventLiveTileDataCollection This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain PreventSmartScreenPromptOverride Don't allow Windows Defender SmartScreen warning overrides text/plain PreventSmartScreenPromptOverrideForFiles Don't allow Windows Defender SmartScreen warning overrides for unverified files. text/plain PreventTurningOffRequiredExtensions You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) - How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) - Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) text/plain PreventUsingLocalHostIPAddressForWebRTC Prevent using localhost IP address for WebRTC text/plain ProvisionFavorites This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. text/plain SendIntranetTraffictoInternetExplorer Sends all intranet traffic over to Internet Explorer. text/plain SetDefaultSearchEngine Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain SetHomeButtonURL The home button can be configured to load a custom URL when your user clicks the home button. If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. Default setting: Blank or not configured Related policy: Configure Home Button text/plain SetNewTabPageURL You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. If enabled, you can set the default New Tab page URL. If disabled or not configured, the default Microsoft Edge new tab page is used. Default setting: Disabled or not configured Related policy: Allow web content on New Tab page text/plain ShowMessageWhenOpeningSitesInInternetExplorer You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. If disabled or not configured, the default app behavior occurs and no additional page displays. Default setting: Disabled or not configured Related policies: -Configure the Enterprise Mode Site List -Send all intranet sites to Internet Explorer 11 text/plain SyncFavoritesBetweenIEAndMicrosoftEdge Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. text/plain UnlockHomeButton By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. Default setting: Disabled or not configured Related policy: -Configure Home Button -Set Home Button URL text/plain UseSharedFolderForBooks This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. text/plain CredentialsUI DisablePasswordReveal text/plain Desktop PreventUserRedirectionOfProfileFolders text/plain Display EnablePerProcessDpi Enable or disable Per-Process System DPI for all applications. text/plain Education DefaultPrinterName This policy sets user's default printer text/plain PreventAddingNewPrinters Boolean that specifies whether or not to prevent user to install new printers text/plain PrinterNames This policy provisions per-user network printers text/plain EnterpriseCloudPrint CloudPrinterDiscoveryEndPoint This policy provisions per-user discovery end point to discover cloud printers text/plain CloudPrintOAuthAuthority Authentication endpoint for acquiring OAuth tokens text/plain CloudPrintOAuthClientId A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority text/plain CloudPrintResourceId Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication text/plain DiscoveryMaxPrinterLimit Defines the maximum number of printers that should be queried from discovery end point text/plain MopriaDiscoveryResourceId Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication text/plain Experience AllowTailoredExperiencesWithDiagnosticData text/plain AllowThirdPartySuggestionsInWindowsSpotlight text/plain AllowWindowsSpotlight text/plain AllowWindowsSpotlightOnActionCenter text/plain AllowWindowsSpotlightOnSettings text/plain AllowWindowsSpotlightWindowsWelcomeExperience text/plain ConfigureWindowsSpotlightOnLockScreen text/plain InternetExplorer AddSearchProvider text/plain AllowActiveXFiltering text/plain AllowAddOnList text/plain AllowAutoComplete text/plain AllowCertificateAddressMismatchWarning text/plain AllowDeletingBrowsingHistoryOnExit text/plain AllowEnhancedProtectedMode text/plain AllowEnhancedSuggestionsInAddressBar text/plain AllowEnterpriseModeFromToolsMenu text/plain AllowEnterpriseModeSiteList text/plain AllowInternetExplorer7PolicyList text/plain AllowInternetExplorerStandardsMode text/plain AllowInternetZoneTemplate text/plain AllowIntranetZoneTemplate text/plain AllowLocalMachineZoneTemplate text/plain AllowLockedDownInternetZoneTemplate text/plain AllowLockedDownIntranetZoneTemplate text/plain AllowLockedDownLocalMachineZoneTemplate text/plain AllowLockedDownRestrictedSitesZoneTemplate text/plain AllowOneWordEntry text/plain AllowSiteToZoneAssignmentList text/plain AllowsLockedDownTrustedSitesZoneTemplate text/plain AllowSoftwareWhenSignatureIsInvalid text/plain AllowsRestrictedSitesZoneTemplate text/plain AllowSuggestedSites text/plain AllowTrustedSitesZoneTemplate text/plain CheckServerCertificateRevocation text/plain CheckSignaturesOnDownloadedPrograms text/plain ConsistentMimeHandlingInternetExplorerProcesses text/plain DisableActiveXVersionListAutoDownload text/plain DisableAdobeFlash text/plain DisableBypassOfSmartScreenWarnings text/plain DisableBypassOfSmartScreenWarningsAboutUncommonFiles text/plain DisableCompatView text/plain DisableConfiguringHistory text/plain DisableCrashDetection text/plain DisableCustomerExperienceImprovementProgramParticipation text/plain DisableDeletingUserVisitedWebsites text/plain DisableEnclosureDownloading text/plain DisableEncryptionSupport text/plain DisableFeedsBackgroundSync text/plain DisableFirstRunWizard text/plain DisableFlipAheadFeature text/plain DisableGeolocation text/plain DisableHomePageChange text/plain DisableIgnoringCertificateErrors text/plain DisableInPrivateBrowsing text/plain DisableProcessesInEnhancedProtectedMode text/plain DisableProxyChange text/plain DisableSearchProviderChange text/plain DisableSecondaryHomePageChange text/plain DisableSecuritySettingsCheck text/plain DisableWebAddressAutoComplete text/plain DoNotAllowActiveXControlsInProtectedMode text/plain DoNotBlockOutdatedActiveXControls text/plain DoNotBlockOutdatedActiveXControlsOnSpecificDomains text/plain IncludeAllLocalSites text/plain IncludeAllNetworkPaths text/plain InternetZoneAllowAccessToDataSources text/plain InternetZoneAllowAutomaticPromptingForActiveXControls text/plain InternetZoneAllowAutomaticPromptingForFileDownloads text/plain InternetZoneAllowCopyPasteViaScript text/plain InternetZoneAllowDragAndDropCopyAndPasteFiles text/plain InternetZoneAllowFontDownloads text/plain InternetZoneAllowLessPrivilegedSites text/plain InternetZoneAllowLoadingOfXAMLFiles text/plain InternetZoneAllowNETFrameworkReliantComponents text/plain InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls text/plain InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl text/plain InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls text/plain InternetZoneAllowScriptInitiatedWindows text/plain InternetZoneAllowScriptlets text/plain InternetZoneAllowSmartScreenIE text/plain InternetZoneAllowUpdatesToStatusBarViaScript text/plain InternetZoneAllowUserDataPersistence text/plain InternetZoneAllowVBScriptToRunInInternetExplorer text/plain InternetZoneDoNotRunAntimalwareAgainstActiveXControls text/plain InternetZoneDownloadSignedActiveXControls text/plain InternetZoneDownloadUnsignedActiveXControls text/plain InternetZoneEnableCrossSiteScriptingFilter text/plain InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows text/plain InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows text/plain InternetZoneEnableMIMESniffing text/plain InternetZoneEnableProtectedMode text/plain InternetZoneIncludeLocalPathWhenUploadingFilesToServer text/plain InternetZoneInitializeAndScriptActiveXControls text/plain InternetZoneJavaPermissions text/plain InternetZoneLaunchingApplicationsAndFilesInIFRAME text/plain InternetZoneLogonOptions text/plain InternetZoneNavigateWindowsAndFrames text/plain InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode text/plain InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles text/plain InternetZoneUsePopupBlocker text/plain IntranetZoneAllowAccessToDataSources text/plain IntranetZoneAllowAutomaticPromptingForActiveXControls text/plain IntranetZoneAllowAutomaticPromptingForFileDownloads text/plain IntranetZoneAllowFontDownloads text/plain IntranetZoneAllowLessPrivilegedSites text/plain IntranetZoneAllowNETFrameworkReliantComponents text/plain IntranetZoneAllowScriptlets text/plain IntranetZoneAllowSmartScreenIE text/plain IntranetZoneAllowUserDataPersistence text/plain IntranetZoneDoNotRunAntimalwareAgainstActiveXControls text/plain IntranetZoneInitializeAndScriptActiveXControls text/plain IntranetZoneJavaPermissions text/plain IntranetZoneNavigateWindowsAndFrames text/plain LocalMachineZoneAllowAccessToDataSources text/plain LocalMachineZoneAllowAutomaticPromptingForActiveXControls text/plain LocalMachineZoneAllowAutomaticPromptingForFileDownloads text/plain LocalMachineZoneAllowFontDownloads text/plain LocalMachineZoneAllowLessPrivilegedSites text/plain LocalMachineZoneAllowNETFrameworkReliantComponents text/plain LocalMachineZoneAllowScriptlets text/plain LocalMachineZoneAllowSmartScreenIE text/plain LocalMachineZoneAllowUserDataPersistence text/plain LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls text/plain LocalMachineZoneInitializeAndScriptActiveXControls text/plain LocalMachineZoneJavaPermissions text/plain LocalMachineZoneNavigateWindowsAndFrames text/plain LockedDownInternetZoneAllowAccessToDataSources text/plain LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls text/plain LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads text/plain LockedDownInternetZoneAllowFontDownloads text/plain LockedDownInternetZoneAllowLessPrivilegedSites text/plain LockedDownInternetZoneAllowNETFrameworkReliantComponents text/plain LockedDownInternetZoneAllowScriptlets text/plain LockedDownInternetZoneAllowSmartScreenIE text/plain LockedDownInternetZoneAllowUserDataPersistence text/plain LockedDownInternetZoneInitializeAndScriptActiveXControls text/plain LockedDownInternetZoneJavaPermissions text/plain LockedDownInternetZoneNavigateWindowsAndFrames text/plain LockedDownIntranetJavaPermissions text/plain LockedDownIntranetZoneAllowAccessToDataSources text/plain LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls text/plain LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads text/plain LockedDownIntranetZoneAllowFontDownloads text/plain LockedDownIntranetZoneAllowLessPrivilegedSites text/plain LockedDownIntranetZoneAllowNETFrameworkReliantComponents text/plain LockedDownIntranetZoneAllowScriptlets text/plain LockedDownIntranetZoneAllowSmartScreenIE text/plain LockedDownIntranetZoneAllowUserDataPersistence text/plain LockedDownIntranetZoneInitializeAndScriptActiveXControls text/plain LockedDownIntranetZoneNavigateWindowsAndFrames text/plain LockedDownLocalMachineZoneAllowAccessToDataSources text/plain LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls text/plain LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads text/plain LockedDownLocalMachineZoneAllowFontDownloads text/plain LockedDownLocalMachineZoneAllowLessPrivilegedSites text/plain LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents text/plain LockedDownLocalMachineZoneAllowScriptlets text/plain LockedDownLocalMachineZoneAllowSmartScreenIE text/plain LockedDownLocalMachineZoneAllowUserDataPersistence text/plain LockedDownLocalMachineZoneInitializeAndScriptActiveXControls text/plain LockedDownLocalMachineZoneJavaPermissions text/plain LockedDownLocalMachineZoneNavigateWindowsAndFrames text/plain LockedDownRestrictedSitesZoneAllowAccessToDataSources text/plain LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain LockedDownRestrictedSitesZoneAllowFontDownloads text/plain LockedDownRestrictedSitesZoneAllowLessPrivilegedSites text/plain LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents text/plain LockedDownRestrictedSitesZoneAllowScriptlets text/plain LockedDownRestrictedSitesZoneAllowSmartScreenIE text/plain LockedDownRestrictedSitesZoneAllowUserDataPersistence text/plain LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls text/plain LockedDownRestrictedSitesZoneJavaPermissions text/plain LockedDownRestrictedSitesZoneNavigateWindowsAndFrames text/plain LockedDownTrustedSitesZoneAllowAccessToDataSources text/plain LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain LockedDownTrustedSitesZoneAllowFontDownloads text/plain LockedDownTrustedSitesZoneAllowLessPrivilegedSites text/plain LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents text/plain LockedDownTrustedSitesZoneAllowScriptlets text/plain LockedDownTrustedSitesZoneAllowSmartScreenIE text/plain LockedDownTrustedSitesZoneAllowUserDataPersistence text/plain LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls text/plain LockedDownTrustedSitesZoneJavaPermissions text/plain LockedDownTrustedSitesZoneNavigateWindowsAndFrames text/plain MimeSniffingSafetyFeatureInternetExplorerProcesses text/plain MKProtocolSecurityRestrictionInternetExplorerProcesses text/plain NewTabDefaultPage text/plain NotificationBarInternetExplorerProcesses text/plain PreventManagingSmartScreenFilter text/plain PreventPerUserInstallationOfActiveXControls text/plain ProtectionFromZoneElevationInternetExplorerProcesses text/plain RemoveRunThisTimeButtonForOutdatedActiveXControls text/plain RestrictActiveXInstallInternetExplorerProcesses text/plain RestrictedSitesZoneAllowAccessToDataSources text/plain RestrictedSitesZoneAllowActiveScripting text/plain RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain RestrictedSitesZoneAllowBinaryAndScriptBehaviors text/plain RestrictedSitesZoneAllowCopyPasteViaScript text/plain RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles text/plain RestrictedSitesZoneAllowFileDownloads text/plain RestrictedSitesZoneAllowFontDownloads text/plain RestrictedSitesZoneAllowLessPrivilegedSites text/plain RestrictedSitesZoneAllowLoadingOfXAMLFiles text/plain RestrictedSitesZoneAllowMETAREFRESH text/plain RestrictedSitesZoneAllowNETFrameworkReliantComponents text/plain RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls text/plain RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl text/plain RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls text/plain RestrictedSitesZoneAllowScriptInitiatedWindows text/plain RestrictedSitesZoneAllowScriptlets text/plain RestrictedSitesZoneAllowSmartScreenIE text/plain RestrictedSitesZoneAllowUpdatesToStatusBarViaScript text/plain RestrictedSitesZoneAllowUserDataPersistence text/plain RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer text/plain RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls text/plain RestrictedSitesZoneDownloadSignedActiveXControls text/plain RestrictedSitesZoneDownloadUnsignedActiveXControls text/plain RestrictedSitesZoneEnableCrossSiteScriptingFilter text/plain RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows text/plain RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows text/plain RestrictedSitesZoneEnableMIMESniffing text/plain RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer text/plain RestrictedSitesZoneInitializeAndScriptActiveXControls text/plain RestrictedSitesZoneJavaPermissions text/plain RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME text/plain RestrictedSitesZoneLogonOptions text/plain RestrictedSitesZoneNavigateWindowsAndFrames text/plain RestrictedSitesZoneRunActiveXControlsAndPlugins text/plain RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode text/plain RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting text/plain RestrictedSitesZoneScriptingOfJavaApplets text/plain RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles text/plain RestrictedSitesZoneTurnOnProtectedMode text/plain RestrictedSitesZoneUsePopupBlocker text/plain RestrictFileDownloadInternetExplorerProcesses text/plain ScriptedWindowSecurityRestrictionsInternetExplorerProcesses text/plain SearchProviderList text/plain SpecifyUseOfActiveXInstallerService text/plain TrustedSitesZoneAllowAccessToDataSources text/plain TrustedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain TrustedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain TrustedSitesZoneAllowFontDownloads text/plain TrustedSitesZoneAllowLessPrivilegedSites text/plain TrustedSitesZoneAllowNETFrameworkReliantComponents text/plain TrustedSitesZoneAllowScriptlets text/plain TrustedSitesZoneAllowSmartScreenIE text/plain TrustedSitesZoneAllowUserDataPersistence text/plain TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls text/plain TrustedSitesZoneInitializeAndScriptActiveXControls text/plain TrustedSitesZoneJavaPermissions text/plain TrustedSitesZoneNavigateWindowsAndFrames text/plain KioskBrowser BlockedUrlExceptions List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. text/plain BlockedUrls List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. text/plain DefaultURL Configures the default URL kiosk browsers to navigate on launch and restart. text/plain EnableEndSessionButton Enable/disable kiosk browser's end session button. text/plain EnableHomeButton Enable/disable kiosk browser's home button. text/plain EnableNavigationButtons Enable/disable kiosk browser's navigation buttons (forward/back). text/plain RestartOnIdleTime Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. text/plain Notifications DisallowNotificationMirroring text/plain DisallowTileNotification text/plain Printers PointAndPrintRestrictions_User text/plain Privacy DisablePrivacyExperience Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. text/plain Security RecoveryEnvironmentAuthentication This policy controls the requirement of Admin Authentication in RecoveryEnvironment. text/plain Settings ConfigureTaskbarCalendar text/plain PageVisibilityList text/plain Start DisableContextMenus Enabling this policy prevents context menus from being invoked in the Start Menu. text/plain ForceStartSize text/plain HideAppList Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. text/plain HideFrequentlyUsedApps Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. text/plain HidePeopleBar Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. text/plain HideRecentJumplists Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. text/plain HideRecentlyAddedApps Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. text/plain StartLayout text/plain System AllowTelemetry text/plain WindowsPowerShell TurnOnPowerShellScriptBlockLogging text/plain Result ApplicationManagement MSIAlwaysInstallWithElevatedPrivileges 0 text/plain phone MSI.admx MSI~AT~WindowsComponents~MSI AlwaysInstallElevated HighestValueMostSecure RequirePrivateStoreOnly 0 text/plain WindowsStore.admx WindowsStore~AT~WindowsComponents~WindowsStore RequirePrivateStoreOnly HighestValueMostSecure AttachmentManager DoNotPreserveZoneInformation text/plain phone AttachmentManager.admx AttachmentManager~AT~WindowsComponents~AM_AM AM_MarkZoneOnSavedAtttachments LastWrite HideZoneInfoMechanism text/plain phone AttachmentManager.admx AttachmentManager~AT~WindowsComponents~AM_AM AM_RemoveZoneInfo LastWrite NotifyAntivirusPrograms text/plain phone AttachmentManager.admx AttachmentManager~AT~WindowsComponents~AM_AM AM_CallIOfficeAntiVirus LastWrite Authentication AllowEAPCertSSO 0 text/plain LowestValueMostSecure Autoplay DisallowAutoplayForNonVolumeDevices text/plain phone AutoPlay.admx AutoPlay~AT~WindowsComponents~AutoPlay NoAutoplayfornonVolume LastWrite SetDefaultAutoRunBehavior text/plain phone AutoPlay.admx AutoPlay~AT~WindowsComponents~AutoPlay NoAutorun LastWrite TurnOffAutoPlay text/plain phone AutoPlay.admx AutoPlay~AT~WindowsComponents~AutoPlay Autorun LastWrite Browser AllowAddressBarDropdown 1 This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowAddressBarDropdown LowestValueMostSecure AllowAutofill 0 This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowAutofill LowestValueMostSecure AllowBrowser 1 text/plain desktop LowestValueMostSecure AllowConfigurationUpdateForBooksLibrary 1 This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. text/plain LowestValueMostSecure AllowCookies 2 This setting lets you configure how your company deals with cookies. text/plain MicrosoftEdge.admx CookiesListBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge Cookies LowestValueMostSecure AllowDeveloperTools 1 This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowDeveloperTools LowestValueMostSecure AllowDoNotTrack 0 This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowDoNotTrack LowestValueMostSecure AllowExtensions 1 This setting lets you decide whether employees can load extensions in Microsoft Edge. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowExtensions LowestValueMostSecure AllowFlash 1 This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowFlash HighestValueMostSecure AllowFlashClickToRun 1 Configure the Adobe Flash Click-to-Run setting. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowFlashClickToRun HighestValueMostSecure AllowFullScreenMode 1 With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. If disabled, full-screen mode is unavailable for use in Microsoft Edge. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowFullScreenMode LowestValueMostSecure AllowInPrivate 1 This setting lets you decide whether employees can browse using InPrivate website browsing. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowInPrivate LowestValueMostSecure AllowMicrosoftCompatibilityList 1 This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowCVList LowestValueMostSecure AllowPasswordManager 1 This setting lets you decide whether employees can save their passwords locally, using Password Manager. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowPasswordManager LowestValueMostSecure AllowPopups 0 This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowPopups LowestValueMostSecure AllowPrelaunch 1 Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowPrelaunch LowestValueMostSecure AllowPrinting 1 With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. If enabled, printing is allowed. If disabled, printing is not allowed. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowPrinting LowestValueMostSecure AllowSavingHistory 1 Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. If enabled or not configured, the browsing history is saved and visible in the History pane. If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowSavingHistory LowestValueMostSecure AllowSearchEngineCustomization 1 Allow search engine customization for MDM enrolled devices. Users can change their default search engine. If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowSearchEngineCustomization LowestValueMostSecure AllowSearchSuggestionsinAddressBar 1 This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowSearchSuggestionsinAddressBar LowestValueMostSecure AllowSideloadingOfExtensions 1 This setting lets you decide whether employees can sideload extensions in Microsoft Edge. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowSideloadingOfExtensions LowestValueMostSecure AllowSmartScreen 1 This setting lets you decide whether to turn on Windows Defender SmartScreen. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowSmartScreen LowestValueMostSecure AllowTabPreloading 1 Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowTabPreloading LowestValueMostSecure AllowWebContentOnNewTabPage 1 This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. If you don't configure this setting, employees can choose how new tabs appears. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowWebContentOnNewTabPage LowestValueMostSecure AlwaysEnableBooksLibrary 0 Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AlwaysEnableBooksLibrary LowestValueMostSecure ClearBrowsingDataOnExit 0 Specifies whether to always clear browsing history on exiting Microsoft Edge. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowClearingBrowsingDataOnExit LowestValueMostSecure ConfigureAdditionalSearchEngines Allows you to add up to 5 additional search engines for MDM-enrolled devices. If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain MicrosoftEdge.admx ConfigureAdditionalSearchEngines_Prompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfigureAdditionalSearchEngines LastWrite ConfigureFavoritesBar 0 The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfigureFavoritesBar LowestValueMostSecure ConfigureHomeButton 0 The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. By default, this policy is disabled or not configured and clicking the home button loads the default Start page. When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. If Enabled AND: - Show home button & set to Start page is selected, clicking the home button loads the Start page. - Show home button & set to New tab page is selected, clicking the home button loads a New tab page. - Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. - Hide home button is selected, the home button is hidden in Microsoft Edge. Default setting: Disabled or not configured Related policies: - Set Home Button URL - Unlock Home Button text/plain phone MicrosoftEdge.admx ConfigureHomeButtonDropdown MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfigureHomeButton LastWrite ConfigureKioskMode 0 Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). If enabled and set to 0 (Default or not configured): - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it’s one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. text/plain phone MicrosoftEdge.admx ConfigureKioskMode_TextBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfigureKioskMode LastWrite ConfigureKioskResetAfterIdleTimeout 5 You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. If you set this policy to 0, Microsoft Edge does not use an idle timer. If disabled or not configured, the default value is 5 minutes. If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. text/plain phone MicrosoftEdge.admx ConfigureKioskResetAfterIdleTimeout_TextBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfigureKioskResetAfterIdleTimeout LastWrite ConfigureOpenMicrosoftEdgeWith 3 You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. If enabled, you can choose one of the following options: - Start page: the Start page loads ignoring the Configure Start Pages policy. - New tab page: the New tab page loads ignoring the Configure Start Pages policy. - Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. - A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. Default setting: A specific page or pages (default) Related policies: -Disable Lockdown of Start Pages -Configure Start Pages text/plain phone MicrosoftEdge.admx ConfigureOpenEdgeWithListBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfigureOpenEdgeWith LastWrite ConfigureTelemetryForMicrosoft365Analytics 0 Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. text/plain MicrosoftEdge.admx ZonesListBox MicrosoftEdge~AT~WindowsComponents~DataCollectionAndPreviewBuilds ConfigureTelemetryForMicrosoft365Analytics LowestValueMostSecure DisableLockdownOfStartPages 0 You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Start Pages - Configure Open Microsoft Edge With text/plain phone MicrosoftEdge.admx DisableLockdownOfStartPagesListBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge DisableLockdownOfStartPages LowestValueMostSecure EnableExtendedBooksTelemetry 0 This setting allows organizations to send extended telemetry on book usage from the Books Library. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge EnableExtendedBooksTelemetry LowestValueMostSecure EnterpriseModeSiteList This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. text/plain phone MicrosoftEdge.admx EnterSiteListPrompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge EnterpriseModeSiteList LastWrite EnterpriseSiteListServiceUrl text/plain phone LastWrite FirstRunURL Configure first run URL. text/plain desktop LastWrite HomePages When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: <support.contoso.com><support.microsoft.com> If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages text/plain phone MicrosoftEdge.admx HomePagesPrompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge HomePages LastWrite LockdownFavorites 0 This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge LockdownFavorites LowestValueMostSecure PreventAccessToAboutFlagsInMicrosoftEdge 0 Prevent access to the about:flags page in Microsoft Edge. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventAccessToAboutFlagsInMicrosoftEdge HighestValueMostSecure PreventCertErrorOverrides 0 Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. If enabled, overriding certificate errors are not allowed. If disabled or not configured, overriding certificate errors are allowed. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventCertErrorOverrides HighestValueMostSecure PreventFirstRunPage 0 Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventFirstRunPage HighestValueMostSecure PreventLiveTileDataCollection 0 This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventLiveTileDataCollection HighestValueMostSecure PreventSmartScreenPromptOverride 0 Don't allow Windows Defender SmartScreen warning overrides text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventSmartScreenPromptOverride HighestValueMostSecure PreventSmartScreenPromptOverrideForFiles 0 Don't allow Windows Defender SmartScreen warning overrides for unverified files. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventSmartScreenPromptOverrideForFiles HighestValueMostSecure PreventTurningOffRequiredExtensions You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) - How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) - Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) text/plain phone MicrosoftEdge.admx PreventTurningOffRequiredExtensions_Prompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventTurningOffRequiredExtensions LastWrite PreventUsingLocalHostIPAddressForWebRTC 0 Prevent using localhost IP address for WebRTC text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge HideLocalHostIPAddress HighestValueMostSecure ProvisionFavorites This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. text/plain MicrosoftEdge.admx ConfiguredFavoritesPrompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfiguredFavorites LastWrite SendIntranetTraffictoInternetExplorer 0 Sends all intranet traffic over to Internet Explorer. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge SendIntranetTraffictoInternetExplorer HighestValueMostSecure SetDefaultSearchEngine Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain MicrosoftEdge.admx SetDefaultSearchEngine_Prompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge SetDefaultSearchEngine LastWrite SetHomeButtonURL The home button can be configured to load a custom URL when your user clicks the home button. If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. Default setting: Blank or not configured Related policy: Configure Home Button text/plain phone MicrosoftEdge.admx SetHomeButtonURLPrompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge SetHomeButtonURL LastWrite SetNewTabPageURL You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. If enabled, you can set the default New Tab page URL. If disabled or not configured, the default Microsoft Edge new tab page is used. Default setting: Disabled or not configured Related policy: Allow web content on New Tab page text/plain phone MicrosoftEdge.admx SetNewTabPageURLPrompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge SetNewTabPageURL LastWrite ShowMessageWhenOpeningSitesInInternetExplorer 0 You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. If disabled or not configured, the default app behavior occurs and no additional page displays. Default setting: Disabled or not configured Related policies: -Configure the Enterprise Mode Site List -Send all intranet sites to Internet Explorer 11 text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ShowMessageWhenOpeningSitesInInternetExplorer HighestValueMostSecure SyncFavoritesBetweenIEAndMicrosoftEdge 0 Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge SyncFavoritesBetweenIEAndMicrosoftEdge LowestValueMostSecure UnlockHomeButton 0 By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. Default setting: Disabled or not configured Related policy: -Configure Home Button -Set Home Button URL text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge UnlockHomeButton LowestValueMostSecure UseSharedFolderForBooks 0 This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge UseSharedFolderForBooks LowestValueMostSecure CredentialsUI DisablePasswordReveal text/plain phone credui.admx CredUI~AT~WindowsComponents~CredUI DisablePasswordReveal LastWrite Desktop PreventUserRedirectionOfProfileFolders text/plain phone desktop.admx desktop~AT~Desktop DisablePersonalDirChange LastWrite Display EnablePerProcessDpi Enable or disable Per-Process System DPI for all applications. text/plain phone Display.admx DisplayGlobalPerProcessSystemDpiSettings Display~AT~System~DisplayCat DisplayPerProcessSystemDpiSettings LowestValueMostSecure Education DefaultPrinterName This policy sets user's default printer text/plain LastWrite PreventAddingNewPrinters 0 Boolean that specifies whether or not to prevent user to install new printers text/plain Printing.admx Printing~AT~ControlPanel~CplPrinters NoAddPrinter HighestValueMostSecure PrinterNames This policy provisions per-user network printers text/plain LastWrite EnterpriseCloudPrint CloudPrinterDiscoveryEndPoint This policy provisions per-user discovery end point to discover cloud printers text/plain LastWrite CloudPrintOAuthAuthority Authentication endpoint for acquiring OAuth tokens text/plain LastWrite CloudPrintOAuthClientId A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority text/plain LastWrite CloudPrintResourceId Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication text/plain LastWrite DiscoveryMaxPrinterLimit 20 Defines the maximum number of printers that should be queried from discovery end point text/plain LastWrite MopriaDiscoveryResourceId Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication text/plain LastWrite Experience AllowTailoredExperiencesWithDiagnosticData 1 text/plain CloudContent.admx CloudContent~AT~WindowsComponents~CloudContent DisableTailoredExperiencesWithDiagnosticData LowestValueMostSecure AllowThirdPartySuggestionsInWindowsSpotlight 1 text/plain phone CloudContent.admx CloudContent~AT~WindowsComponents~CloudContent DisableThirdPartySuggestions LowestValueMostSecure AllowWindowsSpotlight 1 text/plain phone CloudContent.admx CloudContent~AT~WindowsComponents~CloudContent DisableWindowsSpotlightFeatures LowestValueMostSecure AllowWindowsSpotlightOnActionCenter 1 text/plain CloudContent.admx CloudContent~AT~WindowsComponents~CloudContent DisableWindowsSpotlightOnActionCenter LowestValueMostSecure AllowWindowsSpotlightOnSettings 1 text/plain CloudContent.admx CloudContent~AT~WindowsComponents~CloudContent DisableWindowsSpotlightOnSettings LowestValueMostSecure AllowWindowsSpotlightWindowsWelcomeExperience 1 text/plain CloudContent.admx CloudContent~AT~WindowsComponents~CloudContent DisableWindowsSpotlightWindowsWelcomeExperience LowestValueMostSecure ConfigureWindowsSpotlightOnLockScreen 1 text/plain phone CloudContent.admx CloudContent~AT~WindowsComponents~CloudContent ConfigureWindowsSpotlight LowestValueMostSecure InternetExplorer AddSearchProvider text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer AddSearchProvider LastWrite AllowActiveXFiltering text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer TurnOnActiveXFiltering LastWrite AllowAddOnList text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement AddonManagement_AddOnList LastWrite AllowAutoComplete text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer RestrictFormSuggestPW LastWrite AllowCertificateAddressMismatchWarning text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyWarnCertMismatch LastWrite AllowDeletingBrowsingHistoryOnExit text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory DBHDisableDeleteOnExit LastWrite AllowEnhancedProtectedMode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_EnableEnhancedProtectedMode LastWrite AllowEnhancedSuggestionsInAddressBar text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer AllowServicePoweredQSA LastWrite AllowEnterpriseModeFromToolsMenu text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer EnterpriseModeEnable LastWrite AllowEnterpriseModeSiteList text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer EnterpriseModeSiteList LastWrite AllowInternetExplorer7PolicyList text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView CompatView_UsePolicyList LastWrite AllowInternetExplorerStandardsMode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView CompatView_IntranetSites LastWrite AllowInternetZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyInternetZoneTemplate LastWrite AllowIntranetZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyIntranetZoneTemplate LastWrite AllowLocalMachineZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyLocalMachineZoneTemplate LastWrite AllowLockedDownInternetZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyInternetZoneLockdownTemplate LastWrite AllowLockedDownIntranetZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyIntranetZoneLockdownTemplate LastWrite AllowLockedDownLocalMachineZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyLocalMachineZoneLockdownTemplate LastWrite AllowLockedDownRestrictedSitesZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyRestrictedSitesZoneLockdownTemplate LastWrite AllowOneWordEntry text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing UseIntranetSiteForOneWordEntry LastWrite AllowSiteToZoneAssignmentList text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_Zonemaps LastWrite AllowsLockedDownTrustedSitesZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyTrustedSitesZoneLockdownTemplate LastWrite AllowSoftwareWhenSignatureIsInvalid text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_InvalidSignatureBlock LastWrite AllowsRestrictedSitesZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyRestrictedSitesZoneTemplate LastWrite AllowSuggestedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer EnableSuggestedSites LastWrite AllowTrustedSitesZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyTrustedSitesZoneTemplate LastWrite CheckServerCertificateRevocation text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_CertificateRevocation LastWrite CheckSignaturesOnDownloadedPrograms text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_DownloadSignatures LastWrite ConsistentMimeHandlingInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling IESF_PolicyExplorerProcesses_5 LastWrite DisableActiveXVersionListAutoDownload text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VersionListAutomaticDownloadDisable LastWrite DisableAdobeFlash text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement DisableFlashInIE LastWrite DisableBypassOfSmartScreenWarnings text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer DisableSafetyFilterOverride LastWrite DisableBypassOfSmartScreenWarningsAboutUncommonFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer DisableSafetyFilterOverrideForAppRepUnknown LastWrite DisableCompatView text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView CompatView_DisableList LastWrite DisableConfiguringHistory text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory RestrictHistory LastWrite DisableCrashDetection text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer AddonManagement_RestrictCrashDetection LastWrite DisableCustomerExperienceImprovementProgramParticipation text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer SQM_DisableCEIP LastWrite DisableDeletingUserVisitedWebsites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory DBHDisableDeleteHistory LastWrite DisableEnclosureDownloading text/plain phone inetres.admx inetres~AT~WindowsComponents~RSS_Feeds Disable_Downloading_of_Enclosures LastWrite DisableEncryptionSupport text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_SetWinInetProtocols LastWrite DisableFeedsBackgroundSync text/plain phone inetres.admx inetres~AT~WindowsComponents~RSS_Feeds Disable_Background_Syncing LastWrite DisableFirstRunWizard text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer NoFirstRunCustomise LastWrite DisableFlipAheadFeature text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_DisableFlipAhead LastWrite DisableGeolocation text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer GeolocationDisable LastWrite DisableHomePageChange text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer RestrictHomePage LastWrite DisableIgnoringCertificateErrors text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL NoCertError LastWrite DisableInPrivateBrowsing text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy DisableInPrivateBrowsing LastWrite DisableProcessesInEnhancedProtectedMode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_EnableEnhancedProtectedMode64Bit LastWrite DisableProxyChange text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer RestrictProxy LastWrite DisableSearchProviderChange text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer NoSearchProvider LastWrite DisableSecondaryHomePageChange text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer SecondaryHomePages LastWrite DisableSecuritySettingsCheck text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer Disable_Security_Settings_Check LastWrite DisableWebAddressAutoComplete text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer RestrictWebAddressSuggest LastWrite DoNotAllowActiveXControlsInProtectedMode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_DisableEPMCompat LastWrite DoNotBlockOutdatedActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDisable LastWrite DoNotBlockOutdatedActiveXControlsOnSpecificDomains text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDomainAllowlist LastWrite IncludeAllLocalSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_IncludeUnspecifiedLocalSites LastWrite IncludeAllNetworkPaths text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_UNCAsIntranet LastWrite InternetZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAccessDataSourcesAcrossDomains_1 LastWrite InternetZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyNotificationBarActiveXURLaction_1 LastWrite InternetZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyNotificationBarDownloadURLaction_1 LastWrite InternetZoneAllowCopyPasteViaScript text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAllowPasteViaScript_1 LastWrite InternetZoneAllowDragAndDropCopyAndPasteFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDropOrPasteFiles_1 LastWrite InternetZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyFontDownload_1 LastWrite InternetZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyZoneElevationURLaction_1 LastWrite InternetZoneAllowLoadingOfXAMLFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_XAML_1 LastWrite InternetZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyUnsignedFrameworkComponentsURLaction_1 LastWrite InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet LastWrite InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAllowTDCControl_Both_Internet LastWrite InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_WebBrowserControl_1 LastWrite InternetZoneAllowScriptInitiatedWindows text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyWindowsRestrictionsURLaction_1 LastWrite InternetZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_AllowScriptlets_1 LastWrite InternetZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_Phishing_1 LastWrite InternetZoneAllowUpdatesToStatusBarViaScript text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_ScriptStatusBar_1 LastWrite InternetZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyUserdataPersistence_1 LastWrite InternetZoneAllowVBScriptToRunInInternetExplorer text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAllowVBScript_1 LastWrite InternetZoneDoNotRunAntimalwareAgainstActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 LastWrite InternetZoneDownloadSignedActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDownloadSignedActiveX_1 LastWrite InternetZoneDownloadUnsignedActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDownloadUnsignedActiveX_1 LastWrite InternetZoneEnableCrossSiteScriptingFilter text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyTurnOnXSSFilter_Both_Internet LastWrite InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet LastWrite InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet LastWrite InternetZoneEnableMIMESniffing text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyMimeSniffingURLaction_1 LastWrite InternetZoneEnableProtectedMode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_TurnOnProtectedMode_1 LastWrite InternetZoneIncludeLocalPathWhenUploadingFilesToServer text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_LocalPathForUpload_1 LastWrite InternetZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyScriptActiveXNotMarkedSafe_1 LastWrite InternetZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyJavaPermissions_1 LastWrite InternetZoneLaunchingApplicationsAndFilesInIFRAME text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyLaunchAppsAndFilesInIFRAME_1 LastWrite InternetZoneLogonOptions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyLogon_1 LastWrite InternetZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyNavigateSubframesAcrossDomains_1 LastWrite InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicySignedFrameworkComponentsURLaction_1 LastWrite InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_UnsafeFiles_1 LastWrite InternetZoneUsePopupBlocker text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyBlockPopupWindows_1 LastWrite IntranetZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyAccessDataSourcesAcrossDomains_3 LastWrite IntranetZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyNotificationBarActiveXURLaction_3 LastWrite IntranetZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyNotificationBarDownloadURLaction_3 LastWrite IntranetZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyFontDownload_3 LastWrite IntranetZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyZoneElevationURLaction_3 LastWrite IntranetZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyUnsignedFrameworkComponentsURLaction_3 LastWrite IntranetZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_Policy_AllowScriptlets_3 LastWrite IntranetZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_Policy_Phishing_3 LastWrite IntranetZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyUserdataPersistence_3 LastWrite IntranetZoneDoNotRunAntimalwareAgainstActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 LastWrite IntranetZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyScriptActiveXNotMarkedSafe_3 LastWrite IntranetZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyJavaPermissions_3 LastWrite IntranetZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyNavigateSubframesAcrossDomains_3 LastWrite LocalMachineZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyAccessDataSourcesAcrossDomains_9 LastWrite LocalMachineZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyNotificationBarActiveXURLaction_9 LastWrite LocalMachineZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyNotificationBarDownloadURLaction_9 LastWrite LocalMachineZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyFontDownload_9 LastWrite LocalMachineZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyZoneElevationURLaction_9 LastWrite LocalMachineZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyUnsignedFrameworkComponentsURLaction_9 LastWrite LocalMachineZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_Policy_AllowScriptlets_9 LastWrite LocalMachineZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_Policy_Phishing_9 LastWrite LocalMachineZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyUserdataPersistence_9 LastWrite LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 LastWrite LocalMachineZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyScriptActiveXNotMarkedSafe_9 LastWrite LocalMachineZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyJavaPermissions_9 LastWrite LocalMachineZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyNavigateSubframesAcrossDomains_9 LastWrite LockedDownInternetZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_2 LastWrite LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_2 LastWrite LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_2 LastWrite LockedDownInternetZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyFontDownload_2 LastWrite LockedDownInternetZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyZoneElevationURLaction_2 LastWrite LockedDownInternetZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_2 LastWrite LockedDownInternetZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_Policy_AllowScriptlets_2 LastWrite LockedDownInternetZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_Policy_Phishing_2 LastWrite LockedDownInternetZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyUserdataPersistence_2 LastWrite LockedDownInternetZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_2 LastWrite LockedDownInternetZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyJavaPermissions_2 LastWrite LockedDownInternetZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_2 LastWrite LockedDownIntranetJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyJavaPermissions_4 LastWrite LockedDownIntranetZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_4 LastWrite LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_4 LastWrite LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_4 LastWrite LockedDownIntranetZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyFontDownload_4 LastWrite LockedDownIntranetZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyZoneElevationURLaction_4 LastWrite LockedDownIntranetZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_4 LastWrite LockedDownIntranetZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_Policy_AllowScriptlets_4 LastWrite LockedDownIntranetZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_Policy_Phishing_4 LastWrite LockedDownIntranetZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyUserdataPersistence_4 LastWrite LockedDownIntranetZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_4 LastWrite LockedDownIntranetZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_4 LastWrite LockedDownLocalMachineZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_10 LastWrite LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_10 LastWrite LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_10 LastWrite LockedDownLocalMachineZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyFontDownload_10 LastWrite LockedDownLocalMachineZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyZoneElevationURLaction_10 LastWrite LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_10 LastWrite LockedDownLocalMachineZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_Policy_AllowScriptlets_10 LastWrite LockedDownLocalMachineZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_Policy_Phishing_10 LastWrite LockedDownLocalMachineZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyUserdataPersistence_10 LastWrite LockedDownLocalMachineZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_10 LastWrite LockedDownLocalMachineZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyJavaPermissions_10 LastWrite LockedDownLocalMachineZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_10 LastWrite LockedDownRestrictedSitesZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_8 LastWrite LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_8 LastWrite LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_8 LastWrite LockedDownRestrictedSitesZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyFontDownload_8 LastWrite LockedDownRestrictedSitesZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyZoneElevationURLaction_8 LastWrite LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_8 LastWrite LockedDownRestrictedSitesZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_Policy_AllowScriptlets_8 LastWrite LockedDownRestrictedSitesZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_Policy_Phishing_8 LastWrite LockedDownRestrictedSitesZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyUserdataPersistence_8 LastWrite LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_8 LastWrite LockedDownRestrictedSitesZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyJavaPermissions_8 LastWrite LockedDownRestrictedSitesZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_8 LastWrite LockedDownTrustedSitesZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_6 LastWrite LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_6 LastWrite LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_6 LastWrite LockedDownTrustedSitesZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyFontDownload_6 LastWrite LockedDownTrustedSitesZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyZoneElevationURLaction_6 LastWrite LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_6 LastWrite LockedDownTrustedSitesZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_Policy_AllowScriptlets_6 LastWrite LockedDownTrustedSitesZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_Policy_Phishing_6 LastWrite LockedDownTrustedSitesZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyUserdataPersistence_6 LastWrite LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_6 LastWrite LockedDownTrustedSitesZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyJavaPermissions_6 LastWrite LockedDownTrustedSitesZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_6 LastWrite MimeSniffingSafetyFeatureInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature IESF_PolicyExplorerProcesses_6 LastWrite MKProtocolSecurityRestrictionInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction IESF_PolicyExplorerProcesses_3 LastWrite NewTabDefaultPage text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer NewTabAction LastWrite NotificationBarInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar IESF_PolicyExplorerProcesses_10 LastWrite PreventManagingSmartScreenFilter text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer Disable_Managing_Safety_Filter_IE9 LastWrite PreventPerUserInstallationOfActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer DisablePerUserActiveXInstall LastWrite ProtectionFromZoneElevationInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation IESF_PolicyExplorerProcesses_9 LastWrite RemoveRunThisTimeButtonForOutdatedActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDisableRunThisTime LastWrite RestrictActiveXInstallInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall IESF_PolicyExplorerProcesses_11 LastWrite RestrictedSitesZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAccessDataSourcesAcrossDomains_7 LastWrite RestrictedSitesZoneAllowActiveScripting text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyActiveScripting_7 LastWrite RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyNotificationBarActiveXURLaction_7 LastWrite RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyNotificationBarDownloadURLaction_7 LastWrite RestrictedSitesZoneAllowBinaryAndScriptBehaviors text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyBinaryBehaviors_7 LastWrite RestrictedSitesZoneAllowCopyPasteViaScript text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAllowPasteViaScript_7 LastWrite RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDropOrPasteFiles_7 LastWrite RestrictedSitesZoneAllowFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyFileDownload_7 LastWrite RestrictedSitesZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyFontDownload_7 LastWrite RestrictedSitesZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyZoneElevationURLaction_7 LastWrite RestrictedSitesZoneAllowLoadingOfXAMLFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_XAML_7 LastWrite RestrictedSitesZoneAllowMETAREFRESH text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAllowMETAREFRESH_7 LastWrite RestrictedSitesZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyUnsignedFrameworkComponentsURLaction_7 LastWrite RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted LastWrite RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAllowTDCControl_Both_Restricted LastWrite RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_WebBrowserControl_7 LastWrite RestrictedSitesZoneAllowScriptInitiatedWindows text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyWindowsRestrictionsURLaction_7 LastWrite RestrictedSitesZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_AllowScriptlets_7 LastWrite RestrictedSitesZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_Phishing_7 LastWrite RestrictedSitesZoneAllowUpdatesToStatusBarViaScript text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_ScriptStatusBar_7 LastWrite RestrictedSitesZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyUserdataPersistence_7 LastWrite RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAllowVBScript_7 LastWrite RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 LastWrite RestrictedSitesZoneDownloadSignedActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDownloadSignedActiveX_7 LastWrite RestrictedSitesZoneDownloadUnsignedActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDownloadUnsignedActiveX_7 LastWrite RestrictedSitesZoneEnableCrossSiteScriptingFilter text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyTurnOnXSSFilter_Both_Restricted LastWrite RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted LastWrite RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted LastWrite RestrictedSitesZoneEnableMIMESniffing text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyMimeSniffingURLaction_7 LastWrite RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_LocalPathForUpload_7 LastWrite RestrictedSitesZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyScriptActiveXNotMarkedSafe_7 LastWrite RestrictedSitesZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyJavaPermissions_7 LastWrite RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyLaunchAppsAndFilesInIFRAME_7 LastWrite RestrictedSitesZoneLogonOptions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyLogon_7 LastWrite RestrictedSitesZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyNavigateSubframesAcrossDomains_7 LastWrite RestrictedSitesZoneRunActiveXControlsAndPlugins text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyRunActiveXControls_7 LastWrite RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicySignedFrameworkComponentsURLaction_7 LastWrite RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyScriptActiveXMarkedSafe_7 LastWrite RestrictedSitesZoneScriptingOfJavaApplets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyScriptingOfJavaApplets_7 LastWrite RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_UnsafeFiles_7 LastWrite RestrictedSitesZoneTurnOnProtectedMode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_TurnOnProtectedMode_7 LastWrite RestrictedSitesZoneUsePopupBlocker text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyBlockPopupWindows_7 LastWrite RestrictFileDownloadInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload IESF_PolicyExplorerProcesses_12 LastWrite ScriptedWindowSecurityRestrictionsInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions IESF_PolicyExplorerProcesses_8 LastWrite SearchProviderList text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer SpecificSearchProvider LastWrite SpecifyUseOfActiveXInstallerService text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer OnlyUseAXISForActiveXInstall LastWrite TrustedSitesZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyAccessDataSourcesAcrossDomains_5 LastWrite TrustedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyNotificationBarActiveXURLaction_5 LastWrite TrustedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyNotificationBarDownloadURLaction_5 LastWrite TrustedSitesZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyFontDownload_5 LastWrite TrustedSitesZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyZoneElevationURLaction_5 LastWrite TrustedSitesZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyUnsignedFrameworkComponentsURLaction_5 LastWrite TrustedSitesZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_Policy_AllowScriptlets_5 LastWrite TrustedSitesZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_Policy_Phishing_5 LastWrite TrustedSitesZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyUserdataPersistence_5 LastWrite TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 LastWrite TrustedSitesZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyScriptActiveXNotMarkedSafe_5 LastWrite TrustedSitesZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyJavaPermissions_5 LastWrite TrustedSitesZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyNavigateSubframesAcrossDomains_5 LastWrite KioskBrowser BlockedUrlExceptions List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. text/plain phone LastWrite BlockedUrls List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. text/plain phone LastWrite DefaultURL Configures the default URL kiosk browsers to navigate on launch and restart. text/plain phone LastWrite EnableEndSessionButton 0 Enable/disable kiosk browser's end session button. text/plain phone LastWrite EnableHomeButton 0 Enable/disable kiosk browser's home button. text/plain phone LastWrite EnableNavigationButtons 0 Enable/disable kiosk browser's navigation buttons (forward/back). text/plain phone LastWrite RestartOnIdleTime 0 Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. text/plain phone LastWrite Notifications DisallowNotificationMirroring 0 text/plain WPN.admx WPN~AT~StartMenu~NotificationsCategory NoNotificationMirroring LowestValueMostSecure DisallowTileNotification 0 text/plain WPN.admx WPN~AT~StartMenu~NotificationsCategory NoTileNotification LowestValueMostSecure Printers PointAndPrintRestrictions_User text/plain phone Printing.admx Printing~AT~ControlPanel~CplPrinters PointAndPrint_Restrictions LastWrite Privacy DisablePrivacyExperience 0 Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. text/plain phone OOBE.admx OOBE~AT~WindowsComponents~OOBE DisablePrivacyExperience LowestValueMostSecure Security RecoveryEnvironmentAuthentication 0 This policy controls the requirement of Admin Authentication in RecoveryEnvironment. text/plain phone LastWrite Settings ConfigureTaskbarCalendar 0 text/plain Taskbar.admx Taskbar~AT~StartMenu~TPMCategory ConfigureTaskbarCalendar LastWrite PageVisibilityList text/plain ControlPanel.admx SettingsPageVisibilityBox ControlPanel~AT~ControlPanel SettingsPageVisibility LastWrite Start DisableContextMenus 0 Enabling this policy prevents context menus from being invoked in the Start Menu. text/plain phone StartMenu.admx StartMenu~AT~StartMenu DisableContextMenusInStart LowestValueMostSecure ForceStartSize 0 text/plain phone StartMenu.admx StartMenu~AT~StartMenu ForceStartSize LastWrite HideAppList 0 Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. text/plain phone LastWrite HideFrequentlyUsedApps 0 Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. text/plain phone StartMenu.admx StartMenu~AT~StartMenu NoFrequentUsedPrograms LowestValueMostSecure HidePeopleBar 0 Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. text/plain phone StartMenu.admx StartMenu~AT~StartMenu HidePeopleBar LowestValueMostSecure HideRecentJumplists 0 Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. text/plain phone StartMenu.admx StartMenu~AT~StartMenu NoRecentDocsHistory LowestValueMostSecure HideRecentlyAddedApps 0 Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. text/plain phone StartMenu.admx StartMenu~AT~StartMenu HideRecentlyAddedApps LowestValueMostSecure StartLayout text/plain phone StartMenu.admx StartMenu~AT~StartMenu LockedStartLayout LastWrite System AllowTelemetry 3 text/plain DataCollection.admx AllowTelemetry DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds AllowTelemetry LowestValueMostSecure WindowsPowerShell TurnOnPowerShellScriptBlockLogging text/plain phone PowerShellExecutionPolicy.admx PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell EnableScriptBlockLogging LastWrite Policy ./Device/Vendor/MSFT com.microsoft/9.0/MDM/Policy ConfigOperations Policy CSP ConfigOperations ADMXInstall Win32 App ADMX Ingestion * Win32 App Name * Setting Type of Win32 App. Policy Or Preference * Unique ID of ADMX file Config AboveLock AllowActionCenterNotifications text/plain AllowCortanaAboveLock text/plain AllowToasts text/plain Accounts AllowAddingNonMicrosoftAccountsManually text/plain AllowMicrosoftAccountConnection text/plain AllowMicrosoftAccountSignInAssistant text/plain DomainNamesForEmailSync text/plain ActiveXControls ApprovedInstallationSites text/plain ApplicationDefaults DefaultAssociationsConfiguration text/plain EnableAppUriHandlers Enables web-to-app linking, which allows apps to be launched with a http(s) URI text/plain ApplicationManagement AllowAllTrustedApps text/plain AllowAppStoreAutoUpdate text/plain AllowDeveloperUnlock text/plain AllowGameDVR text/plain AllowSharedUserAppData text/plain AllowStore text/plain ApplicationRestrictions text/plain DisableStoreOriginatedApps text/plain LaunchAppAfterLogOn List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. text/plain MSIAllowUserControlOverInstall text/plain MSIAlwaysInstallWithElevatedPrivileges text/plain RequirePrivateStoreOnly text/plain RestrictAppDataToSystemVolume text/plain RestrictAppToSystemVolume text/plain ScheduleForceRestartForUpdateFailures text/plain AppRuntime AllowMicrosoftAccountsToBeOptional text/plain AppVirtualization AllowAppVClient text/plain AllowDynamicVirtualization text/plain AllowPackageCleanup text/plain AllowPackageScripts text/plain AllowPublishingRefreshUX text/plain AllowReportingServer text/plain AllowRoamingFileExclusions text/plain AllowRoamingRegistryExclusions text/plain AllowStreamingAutoload text/plain ClientCoexistenceAllowMigrationmode text/plain IntegrationAllowRootGlobal text/plain IntegrationAllowRootUser text/plain PublishingAllowServer1 text/plain PublishingAllowServer2 text/plain PublishingAllowServer3 text/plain PublishingAllowServer4 text/plain PublishingAllowServer5 text/plain StreamingAllowCertificateFilterForClient_SSL text/plain StreamingAllowHighCostLaunch text/plain StreamingAllowLocationProvider text/plain StreamingAllowPackageInstallationRoot text/plain StreamingAllowPackageSourceRoot text/plain StreamingAllowReestablishmentInterval text/plain StreamingAllowReestablishmentRetries text/plain StreamingSharedContentStoreMode text/plain StreamingSupportBranchCache text/plain StreamingVerifyCertificateRevocationList text/plain VirtualComponentsAllowList text/plain Authentication AllowAadPasswordReset Specifies whether password reset is enabled for AAD accounts. text/plain AllowFastReconnect text/plain AllowSecondaryAuthenticationDevice text/plain ConfigureWebcamAccessDomainNames Specifies a list of domains that are allowed to access the webcam in CXH-based authentication scenarios. text/plain EnableFastFirstSignIn Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts text/plain EnableWebSignIn Specifies whether web-based sign in is allowed for logging in to Windows text/plain PreferredAadTenantDomainName Specifies the preferred domain among available domains in the AAD tenant. text/plain Autoplay DisallowAutoplayForNonVolumeDevices text/plain SetDefaultAutoRunBehavior text/plain TurnOffAutoPlay text/plain Bitlocker EncryptionMethod text/plain BITS BandwidthThrottlingEndTime text/plain BandwidthThrottlingStartTime text/plain BandwidthThrottlingTransferRate text/plain CostedNetworkBehaviorBackgroundPriority text/plain CostedNetworkBehaviorForegroundPriority text/plain JobInactivityTimeout text/plain Bluetooth AllowAdvertising text/plain AllowDiscoverableMode text/plain AllowPrepairing text/plain AllowPromptedProximalConnections text/plain LocalDeviceName text/plain ServicesAllowedList text/plain Browser AllowAddressBarDropdown This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. text/plain AllowAutofill This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. text/plain AllowBrowser text/plain AllowConfigurationUpdateForBooksLibrary This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. text/plain AllowCookies This setting lets you configure how your company deals with cookies. text/plain AllowDeveloperTools This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. text/plain AllowDoNotTrack This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. text/plain AllowExtensions This setting lets you decide whether employees can load extensions in Microsoft Edge. text/plain AllowFlash This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. text/plain AllowFlashClickToRun Configure the Adobe Flash Click-to-Run setting. text/plain AllowFullScreenMode With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. If disabled, full-screen mode is unavailable for use in Microsoft Edge. text/plain AllowInPrivate This setting lets you decide whether employees can browse using InPrivate website browsing. text/plain AllowMicrosoftCompatibilityList This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. text/plain AllowPasswordManager This setting lets you decide whether employees can save their passwords locally, using Password Manager. text/plain AllowPopups This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. text/plain AllowPrelaunch Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. text/plain AllowPrinting With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. If enabled, printing is allowed. If disabled, printing is not allowed. text/plain AllowSavingHistory Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. If enabled or not configured, the browsing history is saved and visible in the History pane. If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. text/plain AllowSearchEngineCustomization Allow search engine customization for MDM enrolled devices. Users can change their default search engine. If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). text/plain AllowSearchSuggestionsinAddressBar This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. text/plain AllowSideloadingOfExtensions This setting lets you decide whether employees can sideload extensions in Microsoft Edge. text/plain AllowSmartScreen This setting lets you decide whether to turn on Windows Defender SmartScreen. text/plain AllowTabPreloading Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. text/plain AllowWebContentOnNewTabPage This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. If you don't configure this setting, employees can choose how new tabs appears. text/plain AlwaysEnableBooksLibrary Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. text/plain ClearBrowsingDataOnExit Specifies whether to always clear browsing history on exiting Microsoft Edge. text/plain ConfigureAdditionalSearchEngines Allows you to add up to 5 additional search engines for MDM-enrolled devices. If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain ConfigureFavoritesBar The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. text/plain ConfigureHomeButton The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. By default, this policy is disabled or not configured and clicking the home button loads the default Start page. When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. If Enabled AND: - Show home button & set to Start page is selected, clicking the home button loads the Start page. - Show home button & set to New tab page is selected, clicking the home button loads a New tab page. - Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. - Hide home button is selected, the home button is hidden in Microsoft Edge. Default setting: Disabled or not configured Related policies: - Set Home Button URL - Unlock Home Button text/plain ConfigureKioskMode Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). If enabled and set to 0 (Default or not configured): - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it’s one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. text/plain ConfigureKioskResetAfterIdleTimeout You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. If you set this policy to 0, Microsoft Edge does not use an idle timer. If disabled or not configured, the default value is 5 minutes. If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. text/plain ConfigureOpenMicrosoftEdgeWith You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. If enabled, you can choose one of the following options: - Start page: the Start page loads ignoring the Configure Start Pages policy. - New tab page: the New tab page loads ignoring the Configure Start Pages policy. - Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. - A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. Default setting: A specific page or pages (default) Related policies: -Disable Lockdown of Start Pages -Configure Start Pages text/plain ConfigureTelemetryForMicrosoft365Analytics Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. text/plain DisableLockdownOfStartPages You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Start Pages - Configure Open Microsoft Edge With text/plain EnableExtendedBooksTelemetry This setting allows organizations to send extended telemetry on book usage from the Books Library. text/plain EnterpriseModeSiteList This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. text/plain EnterpriseSiteListServiceUrl text/plain FirstRunURL Configure first run URL. text/plain HomePages When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: <support.contoso.com><support.microsoft.com> If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages text/plain LockdownFavorites This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. text/plain PreventAccessToAboutFlagsInMicrosoftEdge Prevent access to the about:flags page in Microsoft Edge. text/plain PreventCertErrorOverrides Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. If enabled, overriding certificate errors are not allowed. If disabled or not configured, overriding certificate errors are allowed. text/plain PreventFirstRunPage Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain PreventLiveTileDataCollection This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain PreventSmartScreenPromptOverride Don't allow Windows Defender SmartScreen warning overrides text/plain PreventSmartScreenPromptOverrideForFiles Don't allow Windows Defender SmartScreen warning overrides for unverified files. text/plain PreventTurningOffRequiredExtensions You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) - How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) - Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) text/plain PreventUsingLocalHostIPAddressForWebRTC Prevent using localhost IP address for WebRTC text/plain ProvisionFavorites This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. text/plain SendIntranetTraffictoInternetExplorer Sends all intranet traffic over to Internet Explorer. text/plain SetDefaultSearchEngine Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain SetHomeButtonURL The home button can be configured to load a custom URL when your user clicks the home button. If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. Default setting: Blank or not configured Related policy: Configure Home Button text/plain SetNewTabPageURL You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. If enabled, you can set the default New Tab page URL. If disabled or not configured, the default Microsoft Edge new tab page is used. Default setting: Disabled or not configured Related policy: Allow web content on New Tab page text/plain ShowMessageWhenOpeningSitesInInternetExplorer You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. If disabled or not configured, the default app behavior occurs and no additional page displays. Default setting: Disabled or not configured Related policies: -Configure the Enterprise Mode Site List -Send all intranet sites to Internet Explorer 11 text/plain SyncFavoritesBetweenIEAndMicrosoftEdge Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. text/plain UnlockHomeButton By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. Default setting: Disabled or not configured Related policy: -Configure Home Button -Set Home Button URL text/plain UseSharedFolderForBooks This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. text/plain Camera AllowCamera text/plain Cellular LetAppsAccessCellularData This policy setting specifies whether Windows apps can access cellular data. text/plain LetAppsAccessCellularData_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. text/plain LetAppsAccessCellularData_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. text/plain LetAppsAccessCellularData_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. text/plain ShowAppCellularAccessUI text/plain Connectivity AllowBluetooth text/plain AllowCellularData text/plain AllowCellularDataRoaming text/plain AllowConnectedDevices text/plain AllowNFC text/plain AllowPhonePCLinking text/plain AllowUSBConnection text/plain AllowVPNOverCellular text/plain AllowVPNRoamingOverCellular text/plain DiablePrintingOverHTTP text/plain DisableDownloadingOfPrintDriversOverHTTP text/plain DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards text/plain DisallowNetworkConnectivityActiveTests text/plain HardenedUNCPaths text/plain ProhibitInstallationAndConfigurationOfNetworkBridge text/plain ControlPolicyConflict MDMWinsOverGP If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. text/plain CredentialProviders AllowPINLogon text/plain BlockPicturePassword text/plain DisableAutomaticReDeploymentCredentials text/plain CredentialsDelegation RemoteHostAllowsDelegationOfNonExportableCredentials text/plain CredentialsUI DisablePasswordReveal text/plain EnumerateAdministrators text/plain Cryptography AllowFipsAlgorithmPolicy text/plain TLSCipherSuites text/plain DataProtection AllowDirectMemoryAccess text/plain LegacySelectiveWipeID text/plain DataUsage SetCost3G text/plain SetCost4G text/plain Defender AllowArchiveScanning text/plain AllowBehaviorMonitoring text/plain AllowCloudProtection text/plain AllowEmailScanning text/plain AllowFullScanOnMappedNetworkDrives text/plain AllowFullScanRemovableDriveScanning text/plain AllowIntrusionPreventionSystem text/plain AllowIOAVProtection text/plain AllowOnAccessProtection text/plain AllowRealtimeMonitoring text/plain AllowScanningNetworkFiles text/plain AllowScriptScanning text/plain AllowUserUIAccess text/plain AttackSurfaceReductionOnlyExclusions text/plain AttackSurfaceReductionRules text/plain AvgCPULoadFactor text/plain CheckForSignaturesBeforeRunningScan text/plain CloudBlockLevel text/plain CloudExtendedTimeout text/plain ControlledFolderAccessAllowedApplications text/plain ControlledFolderAccessProtectedFolders text/plain DaysToRetainCleanedMalware text/plain DisableCatchupFullScan text/plain DisableCatchupQuickScan text/plain EnableControlledFolderAccess text/plain EnableLowCPUPriority text/plain EnableNetworkProtection text/plain ExcludedExtensions text/plain ExcludedPaths text/plain ExcludedProcesses text/plain PUAProtection text/plain RealTimeScanDirection text/plain ScanParameter text/plain ScheduleQuickScanTime text/plain ScheduleScanDay text/plain ScheduleScanTime text/plain SecurityIntelligenceLocation text/plain SignatureUpdateFallbackOrder text/plain SignatureUpdateFileSharesSources text/plain SignatureUpdateInterval text/plain SubmitSamplesConsent text/plain ThreatSeverityDefaultAction text/plain DeliveryOptimization DOAbsoluteMaxCacheSize text/plain DOAllowVPNPeerCaching text/plain DOCacheHost text/plain DODelayBackgroundDownloadFromHttp text/plain DODelayCacheServerFallbackBackground text/plain DODelayCacheServerFallbackForeground text/plain DODelayForegroundDownloadFromHttp text/plain DODownloadMode text/plain DOGroupId text/plain DOGroupIdSource text/plain DOMaxCacheAge text/plain DOMaxCacheSize text/plain DOMaxDownloadBandwidth text/plain DOMaxUploadBandwidth text/plain DOMinBackgroundQos text/plain DOMinBatteryPercentageAllowedToUpload text/plain DOMinDiskSizeAllowedToPeer text/plain DOMinFileSizeToCache text/plain DOMinRAMAllowedToPeer text/plain DOModifyCacheDrive text/plain DOMonthlyUploadDataCap text/plain DOPercentageMaxBackgroundBandwidth text/plain DOPercentageMaxDownloadBandwidth text/plain DOPercentageMaxForegroundBandwidth text/plain DORestrictPeerSelectionBy text/plain DOSetHoursToLimitBackgroundDownloadBandwidth text/plain DOSetHoursToLimitForegroundDownloadBandwidth text/plain DeviceGuard ConfigureSystemGuardLaunch Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. text/plain EnableVirtualizationBasedSecurity Turns On Virtualization Based Security(VBS) text/plain LsaCfgFlags Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock. text/plain RequirePlatformSecurityFeatures Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support. text/plain DeviceHealthMonitoring AllowDeviceHealthMonitoring Enable/disable 4Nines device health monitoring on devices. text/plain ConfigDeviceHealthMonitoringScope If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored. text/plain ConfigDeviceHealthMonitoringUploadDestination If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded. text/plain DeviceInstallation AllowInstallationOfMatchingDeviceIDs text/plain AllowInstallationOfMatchingDeviceSetupClasses text/plain PreventDeviceMetadataFromNetwork text/plain PreventInstallationOfDevicesNotDescribedByOtherPolicySettings text/plain PreventInstallationOfMatchingDeviceIDs text/plain PreventInstallationOfMatchingDeviceSetupClasses text/plain DeviceLock AllowIdleReturnWithoutPassword Specifies whether the user must input a PIN or password when the device resumes from an idle state. text/plain AllowScreenTimeoutWhileLockedUserConfig Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. text/plain AllowSimpleDevicePassword Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords. text/plain AlphanumericDevicePasswordRequired Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0 text/plain DevicePasswordEnabled Specifies whether device lock is enabled. text/plain DevicePasswordExpiration Specifies when the password expires (in days). text/plain DevicePasswordHistory Specifies how many passwords can be stored in the history that can’t be used. text/plain EnforceLockScreenAndLogonImage text/plain EnforceLockScreenProvider text/plain MaxDevicePasswordFailedAttempts text/plain MaxInactivityTimeDeviceLock The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. text/plain MaxInactivityTimeDeviceLockWithExternalDisplay Sets the maximum timeout value for the external display. text/plain MinDevicePasswordComplexCharacters The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. text/plain MinDevicePasswordLength Specifies the minimum number or characters required in the PIN or password. text/plain MinimumPasswordAge This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default. text/plain PreventEnablingLockScreenCamera text/plain PreventLockScreenSlideShow text/plain ScreenTimeoutWhileLocked Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. text/plain Display DisablePerProcessDpiForApps This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. text/plain EnablePerProcessDpi Enable or disable Per-Process System DPI for all applications. text/plain EnablePerProcessDpiForApps This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. text/plain TurnOffGdiDPIScalingForApps This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. text/plain TurnOnGdiDPIScalingForApps This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. text/plain DmaGuard DeviceEnumerationPolicy text/plain ErrorReporting CustomizeConsentSettings text/plain DisableWindowsErrorReporting text/plain DisplayErrorNotification text/plain DoNotSendAdditionalData text/plain PreventCriticalErrorDisplay text/plain EventLogService ControlEventLogBehavior text/plain SpecifyMaximumFileSizeApplicationLog text/plain SpecifyMaximumFileSizeSecurityLog text/plain SpecifyMaximumFileSizeSystemLog text/plain Experience AllowClipboardHistory Allows history of clipboard items to be stored in memory. text/plain AllowCopyPaste text/plain AllowCortana text/plain AllowDeviceDiscovery text/plain AllowFindMyDevice text/plain AllowManualMDMUnenrollment text/plain AllowSaveAsOfOfficeFiles text/plain AllowScreenCapture text/plain AllowSharingOfOfficeFiles text/plain AllowSIMErrorDialogPromptWhenNoSIM text/plain AllowSyncMySettings text/plain AllowTaskSwitcher text/plain AllowVoiceRecording text/plain AllowWindowsConsumerFeatures text/plain AllowWindowsTips text/plain DoNotShowFeedbackNotifications text/plain DoNotSyncBrowserSettings You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. Related policy: PreventUsersFromTurningOnBrowserSyncing 0 (default) = allow syncing, 2 = disable syncing text/plain PreventUsersFromTurningOnBrowserSyncing You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. Related policy: DoNotSyncBrowserSettings 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing text/plain ShowLockOnUserTile Shows or hides lock from the user tile menu. If you enable this policy setting, the lock option will be shown in the User Tile menu. If you disable this policy setting, the lock option will never be shown in the User Tile menu. If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. text/plain ExploitGuard ExploitProtectionSettings text/plain FileExplorer TurnOffDataExecutionPreventionForExplorer text/plain TurnOffHeapTerminationOnCorruption text/plain Games AllowAdvancedGamingServices Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. text/plain Handwriting PanelDefaultModeDocked Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen text/plain InternetExplorer AddSearchProvider text/plain AllowActiveXFiltering text/plain AllowAddOnList text/plain AllowCertificateAddressMismatchWarning text/plain AllowDeletingBrowsingHistoryOnExit text/plain AllowEnhancedProtectedMode text/plain AllowEnhancedSuggestionsInAddressBar text/plain AllowEnterpriseModeFromToolsMenu text/plain AllowEnterpriseModeSiteList text/plain AllowFallbackToSSL3 text/plain AllowInternetExplorer7PolicyList text/plain AllowInternetExplorerStandardsMode text/plain AllowInternetZoneTemplate text/plain AllowIntranetZoneTemplate text/plain AllowLocalMachineZoneTemplate text/plain AllowLockedDownInternetZoneTemplate text/plain AllowLockedDownIntranetZoneTemplate text/plain AllowLockedDownLocalMachineZoneTemplate text/plain AllowLockedDownRestrictedSitesZoneTemplate text/plain AllowOneWordEntry text/plain AllowSiteToZoneAssignmentList text/plain AllowsLockedDownTrustedSitesZoneTemplate text/plain AllowSoftwareWhenSignatureIsInvalid text/plain AllowsRestrictedSitesZoneTemplate text/plain AllowSuggestedSites text/plain AllowTrustedSitesZoneTemplate text/plain CheckServerCertificateRevocation text/plain CheckSignaturesOnDownloadedPrograms text/plain ConsistentMimeHandlingInternetExplorerProcesses text/plain DisableActiveXVersionListAutoDownload text/plain DisableAdobeFlash text/plain DisableBypassOfSmartScreenWarnings text/plain DisableBypassOfSmartScreenWarningsAboutUncommonFiles text/plain DisableCompatView text/plain DisableConfiguringHistory text/plain DisableCrashDetection text/plain DisableCustomerExperienceImprovementProgramParticipation text/plain DisableDeletingUserVisitedWebsites text/plain DisableEnclosureDownloading text/plain DisableEncryptionSupport text/plain DisableFeedsBackgroundSync text/plain DisableFirstRunWizard text/plain DisableFlipAheadFeature text/plain DisableGeolocation text/plain DisableIgnoringCertificateErrors text/plain DisableInPrivateBrowsing text/plain DisableProcessesInEnhancedProtectedMode text/plain DisableProxyChange text/plain DisableSearchProviderChange text/plain DisableSecondaryHomePageChange text/plain DisableSecuritySettingsCheck text/plain DisableUpdateCheck text/plain DisableWebAddressAutoComplete text/plain DoNotAllowActiveXControlsInProtectedMode text/plain DoNotAllowUsersToAddSites text/plain DoNotAllowUsersToChangePolicies text/plain DoNotBlockOutdatedActiveXControls text/plain DoNotBlockOutdatedActiveXControlsOnSpecificDomains text/plain IncludeAllLocalSites text/plain IncludeAllNetworkPaths text/plain InternetZoneAllowAccessToDataSources text/plain InternetZoneAllowAutomaticPromptingForActiveXControls text/plain InternetZoneAllowAutomaticPromptingForFileDownloads text/plain InternetZoneAllowCopyPasteViaScript text/plain InternetZoneAllowDragAndDropCopyAndPasteFiles text/plain InternetZoneAllowFontDownloads text/plain InternetZoneAllowLessPrivilegedSites text/plain InternetZoneAllowLoadingOfXAMLFiles text/plain InternetZoneAllowNETFrameworkReliantComponents text/plain InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls text/plain InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl text/plain InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls text/plain InternetZoneAllowScriptInitiatedWindows text/plain InternetZoneAllowScriptlets text/plain InternetZoneAllowSmartScreenIE text/plain InternetZoneAllowUpdatesToStatusBarViaScript text/plain InternetZoneAllowUserDataPersistence text/plain InternetZoneAllowVBScriptToRunInInternetExplorer text/plain InternetZoneDoNotRunAntimalwareAgainstActiveXControls text/plain InternetZoneDownloadSignedActiveXControls text/plain InternetZoneDownloadUnsignedActiveXControls text/plain InternetZoneEnableCrossSiteScriptingFilter text/plain InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows text/plain InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows text/plain InternetZoneEnableMIMESniffing text/plain InternetZoneEnableProtectedMode text/plain InternetZoneIncludeLocalPathWhenUploadingFilesToServer text/plain InternetZoneInitializeAndScriptActiveXControls text/plain InternetZoneJavaPermissions text/plain InternetZoneLaunchingApplicationsAndFilesInIFRAME text/plain InternetZoneLogonOptions text/plain InternetZoneNavigateWindowsAndFrames text/plain InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode text/plain InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles text/plain InternetZoneUsePopupBlocker text/plain IntranetZoneAllowAccessToDataSources text/plain IntranetZoneAllowAutomaticPromptingForActiveXControls text/plain IntranetZoneAllowAutomaticPromptingForFileDownloads text/plain IntranetZoneAllowFontDownloads text/plain IntranetZoneAllowLessPrivilegedSites text/plain IntranetZoneAllowNETFrameworkReliantComponents text/plain IntranetZoneAllowScriptlets text/plain IntranetZoneAllowSmartScreenIE text/plain IntranetZoneAllowUserDataPersistence text/plain IntranetZoneDoNotRunAntimalwareAgainstActiveXControls text/plain IntranetZoneInitializeAndScriptActiveXControls text/plain IntranetZoneJavaPermissions text/plain IntranetZoneNavigateWindowsAndFrames text/plain LocalMachineZoneAllowAccessToDataSources text/plain LocalMachineZoneAllowAutomaticPromptingForActiveXControls text/plain LocalMachineZoneAllowAutomaticPromptingForFileDownloads text/plain LocalMachineZoneAllowFontDownloads text/plain LocalMachineZoneAllowLessPrivilegedSites text/plain LocalMachineZoneAllowNETFrameworkReliantComponents text/plain LocalMachineZoneAllowScriptlets text/plain LocalMachineZoneAllowSmartScreenIE text/plain LocalMachineZoneAllowUserDataPersistence text/plain LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls text/plain LocalMachineZoneInitializeAndScriptActiveXControls text/plain LocalMachineZoneJavaPermissions text/plain LocalMachineZoneNavigateWindowsAndFrames text/plain LockedDownInternetZoneAllowAccessToDataSources text/plain LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls text/plain LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads text/plain LockedDownInternetZoneAllowFontDownloads text/plain LockedDownInternetZoneAllowLessPrivilegedSites text/plain LockedDownInternetZoneAllowNETFrameworkReliantComponents text/plain LockedDownInternetZoneAllowScriptlets text/plain LockedDownInternetZoneAllowSmartScreenIE text/plain LockedDownInternetZoneAllowUserDataPersistence text/plain LockedDownInternetZoneInitializeAndScriptActiveXControls text/plain LockedDownInternetZoneJavaPermissions text/plain LockedDownInternetZoneNavigateWindowsAndFrames text/plain LockedDownIntranetJavaPermissions text/plain LockedDownIntranetZoneAllowAccessToDataSources text/plain LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls text/plain LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads text/plain LockedDownIntranetZoneAllowFontDownloads text/plain LockedDownIntranetZoneAllowLessPrivilegedSites text/plain LockedDownIntranetZoneAllowNETFrameworkReliantComponents text/plain LockedDownIntranetZoneAllowScriptlets text/plain LockedDownIntranetZoneAllowSmartScreenIE text/plain LockedDownIntranetZoneAllowUserDataPersistence text/plain LockedDownIntranetZoneInitializeAndScriptActiveXControls text/plain LockedDownIntranetZoneNavigateWindowsAndFrames text/plain LockedDownLocalMachineZoneAllowAccessToDataSources text/plain LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls text/plain LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads text/plain LockedDownLocalMachineZoneAllowFontDownloads text/plain LockedDownLocalMachineZoneAllowLessPrivilegedSites text/plain LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents text/plain LockedDownLocalMachineZoneAllowScriptlets text/plain LockedDownLocalMachineZoneAllowSmartScreenIE text/plain LockedDownLocalMachineZoneAllowUserDataPersistence text/plain LockedDownLocalMachineZoneInitializeAndScriptActiveXControls text/plain LockedDownLocalMachineZoneJavaPermissions text/plain LockedDownLocalMachineZoneNavigateWindowsAndFrames text/plain LockedDownRestrictedSitesZoneAllowAccessToDataSources text/plain LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain LockedDownRestrictedSitesZoneAllowFontDownloads text/plain LockedDownRestrictedSitesZoneAllowLessPrivilegedSites text/plain LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents text/plain LockedDownRestrictedSitesZoneAllowScriptlets text/plain LockedDownRestrictedSitesZoneAllowSmartScreenIE text/plain LockedDownRestrictedSitesZoneAllowUserDataPersistence text/plain LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls text/plain LockedDownRestrictedSitesZoneJavaPermissions text/plain LockedDownRestrictedSitesZoneNavigateWindowsAndFrames text/plain LockedDownTrustedSitesZoneAllowAccessToDataSources text/plain LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain LockedDownTrustedSitesZoneAllowFontDownloads text/plain LockedDownTrustedSitesZoneAllowLessPrivilegedSites text/plain LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents text/plain LockedDownTrustedSitesZoneAllowScriptlets text/plain LockedDownTrustedSitesZoneAllowSmartScreenIE text/plain LockedDownTrustedSitesZoneAllowUserDataPersistence text/plain LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls text/plain LockedDownTrustedSitesZoneJavaPermissions text/plain LockedDownTrustedSitesZoneNavigateWindowsAndFrames text/plain MimeSniffingSafetyFeatureInternetExplorerProcesses text/plain MKProtocolSecurityRestrictionInternetExplorerProcesses text/plain NewTabDefaultPage text/plain NotificationBarInternetExplorerProcesses text/plain PreventManagingSmartScreenFilter text/plain PreventPerUserInstallationOfActiveXControls text/plain ProtectionFromZoneElevationInternetExplorerProcesses text/plain RemoveRunThisTimeButtonForOutdatedActiveXControls text/plain RestrictActiveXInstallInternetExplorerProcesses text/plain RestrictedSitesZoneAllowAccessToDataSources text/plain RestrictedSitesZoneAllowActiveScripting text/plain RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain RestrictedSitesZoneAllowBinaryAndScriptBehaviors text/plain RestrictedSitesZoneAllowCopyPasteViaScript text/plain RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles text/plain RestrictedSitesZoneAllowFileDownloads text/plain RestrictedSitesZoneAllowFontDownloads text/plain RestrictedSitesZoneAllowLessPrivilegedSites text/plain RestrictedSitesZoneAllowLoadingOfXAMLFiles text/plain RestrictedSitesZoneAllowMETAREFRESH text/plain RestrictedSitesZoneAllowNETFrameworkReliantComponents text/plain RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls text/plain RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl text/plain RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls text/plain RestrictedSitesZoneAllowScriptInitiatedWindows text/plain RestrictedSitesZoneAllowScriptlets text/plain RestrictedSitesZoneAllowSmartScreenIE text/plain RestrictedSitesZoneAllowUpdatesToStatusBarViaScript text/plain RestrictedSitesZoneAllowUserDataPersistence text/plain RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer text/plain RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls text/plain RestrictedSitesZoneDownloadSignedActiveXControls text/plain RestrictedSitesZoneDownloadUnsignedActiveXControls text/plain RestrictedSitesZoneEnableCrossSiteScriptingFilter text/plain RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows text/plain RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows text/plain RestrictedSitesZoneEnableMIMESniffing text/plain RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer text/plain RestrictedSitesZoneInitializeAndScriptActiveXControls text/plain RestrictedSitesZoneJavaPermissions text/plain RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME text/plain RestrictedSitesZoneLogonOptions text/plain RestrictedSitesZoneNavigateWindowsAndFrames text/plain RestrictedSitesZoneRunActiveXControlsAndPlugins text/plain RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode text/plain RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting text/plain RestrictedSitesZoneScriptingOfJavaApplets text/plain RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles text/plain RestrictedSitesZoneTurnOnProtectedMode text/plain RestrictedSitesZoneUsePopupBlocker text/plain RestrictFileDownloadInternetExplorerProcesses text/plain ScriptedWindowSecurityRestrictionsInternetExplorerProcesses text/plain SearchProviderList text/plain SecurityZonesUseOnlyMachineSettings text/plain SpecifyUseOfActiveXInstallerService text/plain TrustedSitesZoneAllowAccessToDataSources text/plain TrustedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain TrustedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain TrustedSitesZoneAllowFontDownloads text/plain TrustedSitesZoneAllowLessPrivilegedSites text/plain TrustedSitesZoneAllowNETFrameworkReliantComponents text/plain TrustedSitesZoneAllowScriptlets text/plain TrustedSitesZoneAllowSmartScreenIE text/plain TrustedSitesZoneAllowUserDataPersistence text/plain TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls text/plain TrustedSitesZoneInitializeAndScriptActiveXControls text/plain TrustedSitesZoneJavaPermissions text/plain TrustedSitesZoneNavigateWindowsAndFrames text/plain Kerberos AllowForestSearchOrder text/plain KerberosClientSupportsClaimsCompoundArmor text/plain RequireKerberosArmoring text/plain RequireStrictKDCValidation text/plain SetMaximumContextTokenSize text/plain UPNNameHints Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. text/plain KioskBrowser BlockedUrlExceptions List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. text/plain BlockedUrls List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. text/plain DefaultURL Configures the default URL kiosk browsers to navigate on launch and restart. text/plain EnableEndSessionButton Enable/disable kiosk browser's end session button. text/plain EnableHomeButton Enable/disable kiosk browser's home button. text/plain EnableNavigationButtons Enable/disable kiosk browser's navigation buttons (forward/back). text/plain RestartOnIdleTime Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. text/plain LanmanWorkstation EnableInsecureGuestLogons text/plain Licensing AllowWindowsEntitlementReactivation text/plain DisallowKMSClientOnlineAVSValidation text/plain LocalPoliciesSecurityOptions Accounts_BlockMicrosoftAccounts This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. text/plain Accounts_EnableAdministratorAccountStatus This security setting determines whether the local Administrator account is enabled or disabled. Notes If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. Default: Disabled. text/plain Accounts_EnableGuestAccountStatus This security setting determines if the Guest account is enabled or disabled. Default: Disabled. Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. text/plain Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly Accounts: Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Enabled. Warning: Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. Notes This setting does not affect logons that use domain accounts. It is possible for applications that use remote interactive logons to bypass this setting. text/plain Accounts_RenameAdministratorAccount Accounts: Rename administrator account This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Default: Administrator. text/plain Accounts_RenameGuestAccount Accounts: Rename guest account This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. text/plain Devices_AllowedToFormatAndEjectRemovableMedia Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Interactive Users Default: This policy is not defined and only Administrators have this ability. text/plain Devices_AllowUndockWithoutHavingToLogon Devices: Allow undock without having to log on This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default: Enabled. Caution Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. text/plain Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters Devices: Prevent users from installing printer drivers when connecting to shared printers For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. Default on servers: Enabled. Default on workstations: Disabled Notes This setting does not affect the ability to add a local printer. This setting does not affect Administrators. text/plain Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly Devices: Restrict CD-ROM access to locally logged-on user only This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. text/plain InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked Interactive Logon:Display user information when the session is locked User display name, domain and user names (1) User display name only (2) Do not display user information (3) Domain and user names only (4) text/plain InteractiveLogon_DoNotDisplayLastSignedIn Interactive logon: Don't display last signed-in This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. If this policy is enabled, the username will not be shown. If this policy is disabled, the username will be shown. Default: Disabled. text/plain InteractiveLogon_DoNotDisplayUsernameAtSignIn Interactive logon: Don't display username at sign-in This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. If this policy is enabled, the username will not be shown. If this policy is disabled, the username will be shown. Default: Disabled. text/plain InteractiveLogon_DoNotRequireCTRLALTDEL Interactive logon: Do not require CTRL+ALT+DEL This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. Default on stand-alone computers: Enabled. text/plain InteractiveLogon_MachineInactivityLimit Interactive logon: Machine inactivity limit. Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Default: not enforced. text/plain InteractiveLogon_MessageTextForUsersAttemptingToLogOn Interactive logon: Message text for users attempting to log on This security setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Default: No message. text/plain InteractiveLogon_MessageTitleForUsersAttemptingToLogOn Interactive logon: Message title for users attempting to log on This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. Default: No message. text/plain InteractiveLogon_SmartCardRemovalBehavior Interactive logon: Smart card removal behavior This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default: This policy is not defined, which means that the system treats it as No action. On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. text/plain MicrosoftNetworkClient_DigitallySignCommunicationsAlways Microsoft network client: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled. Important For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. text/plain MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees Microsoft network client: Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. text/plain MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers Microsoft network client: Send unencrypted password to connect to third-party SMB servers If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. Default: Disabled. text/plain MicrosoftNetworkServer_DigitallySignCommunicationsAlways Microsoft network server: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled for member servers. Enabled for domain controllers. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. Important For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: Microsoft network server: Digitally sign communications (if server agrees) For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. text/plain MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees Microsoft network server: Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled on domain controllers only. Important For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. text/plain NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts Network access: Do not allow anonymous enumeration of SAM accounts This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Enabled. Important This policy has no impact on domain controllers. text/plain NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares Network access: Do not allow anonymous enumeration of SAM accounts and shares This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. Default: Disabled. text/plain NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares Network access: Restrict anonymous access to Named Pipes and Shares When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously Default: Enabled. text/plain NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM Network access: Restrict clients allowed to make remote calls to SAM This policy setting allows you to restrict remote rpc connections to SAM. If not selected, the default security descriptor will be used. This policy is supported on at least Windows Server 2016. text/plain NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM Network security: Allow Local System to use computer identity for NTLM This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008. Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. text/plain NetworkSecurity_AllowPKU2UAuthenticationRequests Network security: Allow PKU2U authentication requests to this computer to use online identities. This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. text/plain NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange Network security: Do not store LAN Manager hash value on next password change This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. Default on Windows Vista and above: Enabled Default on Windows XP: Disabled. Important Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. text/plain NetworkSecurity_LANManagerAuthenticationLevel Network security LAN Manager authentication level This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). Important This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. Default: Windows 2000 and windows XP: send LM and NTLM responses Windows Server 2003: Send NTLM response only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only text/plain NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients Network security: Minimum session security for NTLM SSP based (including secure RPC) clients This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. Default: Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption text/plain NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers Network security: Minimum session security for NTLM SSP based (including secure RPC) servers This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. Default: Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption text/plain NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. If you do not configure this policy setting, no exceptions will be applied. The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. text/plain NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic Network security: Restrict NTLM: Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic. If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. text/plain NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic Network security: Restrict NTLM: Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic. If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. text/plain NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. text/plain Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn Shutdown: Allow system to be shut down without having to log on This security setting determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. Default on workstations: Enabled. Default on servers: Disabled. text/plain Shutdown_ClearVirtualMemoryPageFile Shutdown: Clear virtual memory pagefile This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. Default: Disabled. text/plain UserAccountControl_AllowUIAccessApplicationsToPromptForElevation User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. • Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. • Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. text/plain UserAccountControl_BehaviorOfTheElevationPromptForAdministrators User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are: • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. • Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. text/plain UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. The options are: • Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. text/plain UserAccountControl_DetectApplicationInstallationsAndPromptForElevation User Account Control: Detect application installations and prompt for elevation This policy setting controls the behavior of application installation detection for the computer. The options are: Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. text/plain UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated User Account Control: Only elevate executable files that are signed and validated This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. The options are: • Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. • Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. text/plain UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\Program Files\, including subfolders - …\Windows\system32\ - …\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: • Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. • Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. text/plain UserAccountControl_RunAllAdministratorsInAdminApprovalMode User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: • Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. text/plain UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation User Account Control: Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: • Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. • Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. text/plain UserAccountControl_UseAdminApprovalMode User Account Control: Use Admin Approval Mode for the built-in Administrator account This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: • Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. • Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. text/plain UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations User Account Control: Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. The options are: • Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. • Disabled: Applications that write data to protected locations fail. text/plain LockDown AllowEdgeSwipe text/plain Maps AllowOfflineMapsDownloadOverMeteredConnection text/plain EnableOfflineMapsAutoUpdate text/plain Messaging AllowMessageSync This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. text/plain AllowMMS This policy setting allows you to enable or disable the sending and receiving cellular MMS messages. text/plain AllowRCS This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages. text/plain MSSecurityGuide ApplyUACRestrictionsToLocalAccountsOnNetworkLogon text/plain ConfigureSMBV1ClientDriver text/plain ConfigureSMBV1Server text/plain EnableStructuredExceptionHandlingOverwriteProtection text/plain TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications text/plain WDigestAuthentication text/plain MSSLegacy AllowICMPRedirectsToOverrideOSPFGeneratedRoutes text/plain AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers text/plain IPSourceRoutingProtectionLevel text/plain IPv6SourceRoutingProtectionLevel text/plain NetworkIsolation EnterpriseCloudResources text/plain EnterpriseInternalProxyServers text/plain EnterpriseIPRange text/plain EnterpriseIPRangesAreAuthoritative text/plain EnterpriseNetworkDomainNames text/plain EnterpriseProxyServers text/plain EnterpriseProxyServersAreAuthoritative text/plain NeutralResources text/plain Notifications DisallowCloudNotification text/plain Power AllowStandbyStatesWhenSleepingOnBattery text/plain AllowStandbyWhenSleepingPluggedIn text/plain DisplayOffTimeoutOnBattery text/plain DisplayOffTimeoutPluggedIn text/plain EnergySaverBatteryThresholdOnBattery This policy setting allows you to specify battery charge level at which Energy Saver is turned on. If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. If you disable or do not configure this policy setting, users control this setting. text/plain EnergySaverBatteryThresholdPluggedIn This policy setting allows you to specify battery charge level at which Energy Saver is turned on. If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. If you disable or do not configure this policy setting, users control this setting. text/plain HibernateTimeoutOnBattery text/plain HibernateTimeoutPluggedIn text/plain RequirePasswordWhenComputerWakesOnBattery text/plain RequirePasswordWhenComputerWakesPluggedIn text/plain SelectLidCloseActionOnBattery This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. text/plain SelectLidCloseActionPluggedIn This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. text/plain SelectPowerButtonActionOnBattery This policy setting specifies the action that Windows takes when a user presses the power button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. text/plain SelectPowerButtonActionPluggedIn This policy setting specifies the action that Windows takes when a user presses the power button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. text/plain SelectSleepButtonActionOnBattery This policy setting specifies the action that Windows takes when a user presses the sleep button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. text/plain SelectSleepButtonActionPluggedIn This policy setting specifies the action that Windows takes when a user presses the sleep button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. text/plain StandbyTimeoutOnBattery text/plain StandbyTimeoutPluggedIn text/plain TurnOffHybridSleepOnBattery This policy setting allows you to turn off hybrid sleep. If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). If you do not configure this policy setting, users control this setting. text/plain TurnOffHybridSleepPluggedIn This policy setting allows you to turn off hybrid sleep. If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). If you do not configure this policy setting, users control this setting. text/plain UnattendedSleepTimeoutOnBattery This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. text/plain UnattendedSleepTimeoutPluggedIn This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. text/plain Printers PointAndPrintRestrictions text/plain PublishPrinters text/plain Privacy AllowAutoAcceptPairingAndPrivacyConsentPrompts text/plain AllowCrossDeviceClipboard Allows syncing of Clipboard across devices under the same Microsoft account. text/plain AllowInputPersonalization text/plain DisableAdvertisingId text/plain DisablePrivacyExperience Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. text/plain EnableActivityFeed Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user. text/plain LetAppsAccessAccountInfo This policy setting specifies whether Windows apps can access account information. text/plain LetAppsAccessAccountInfo_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. text/plain LetAppsAccessAccountInfo_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. text/plain LetAppsAccessAccountInfo_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. text/plain LetAppsAccessCalendar This policy setting specifies whether Windows apps can access the calendar. text/plain LetAppsAccessCalendar_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. text/plain LetAppsAccessCalendar_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. text/plain LetAppsAccessCalendar_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. text/plain LetAppsAccessCallHistory This policy setting specifies whether Windows apps can access call history. text/plain LetAppsAccessCallHistory_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. text/plain LetAppsAccessCallHistory_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. text/plain LetAppsAccessCallHistory_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. text/plain LetAppsAccessCamera This policy setting specifies whether Windows apps can access the camera. text/plain LetAppsAccessCamera_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. text/plain LetAppsAccessCamera_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. text/plain LetAppsAccessCamera_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. text/plain LetAppsAccessContacts This policy setting specifies whether Windows apps can access contacts. text/plain LetAppsAccessContacts_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. text/plain LetAppsAccessContacts_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. text/plain LetAppsAccessContacts_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. text/plain LetAppsAccessEmail This policy setting specifies whether Windows apps can access email. text/plain LetAppsAccessEmail_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. text/plain LetAppsAccessEmail_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. text/plain LetAppsAccessEmail_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. text/plain LetAppsAccessGazeInput This policy setting specifies whether Windows apps can access the eye tracker. text/plain LetAppsAccessGazeInput_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. text/plain LetAppsAccessGazeInput_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. text/plain LetAppsAccessGazeInput_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. text/plain LetAppsAccessLocation This policy setting specifies whether Windows apps can access location. text/plain LetAppsAccessLocation_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. text/plain LetAppsAccessLocation_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. text/plain LetAppsAccessLocation_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. text/plain LetAppsAccessMessaging This policy setting specifies whether Windows apps can read or send messages (text or MMS). text/plain LetAppsAccessMessaging_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. text/plain LetAppsAccessMessaging_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. text/plain LetAppsAccessMessaging_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. text/plain LetAppsAccessMicrophone This policy setting specifies whether Windows apps can access the microphone. text/plain LetAppsAccessMicrophone_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. text/plain LetAppsAccessMicrophone_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. text/plain LetAppsAccessMicrophone_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. text/plain LetAppsAccessMotion This policy setting specifies whether Windows apps can access motion data. text/plain LetAppsAccessMotion_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. text/plain LetAppsAccessMotion_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. text/plain LetAppsAccessMotion_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. text/plain LetAppsAccessNotifications This policy setting specifies whether Windows apps can access notifications. text/plain LetAppsAccessNotifications_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. text/plain LetAppsAccessNotifications_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. text/plain LetAppsAccessNotifications_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. text/plain LetAppsAccessPhone This policy setting specifies whether Windows apps can make phone calls text/plain LetAppsAccessPhone_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. text/plain LetAppsAccessPhone_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. text/plain LetAppsAccessPhone_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. text/plain LetAppsAccessRadios This policy setting specifies whether Windows apps have access to control radios. text/plain LetAppsAccessRadios_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. text/plain LetAppsAccessRadios_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. text/plain LetAppsAccessRadios_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. text/plain LetAppsAccessTasks This policy setting specifies whether Windows apps can access tasks. text/plain LetAppsAccessTasks_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. text/plain LetAppsAccessTasks_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. text/plain LetAppsAccessTasks_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. text/plain LetAppsAccessTrustedDevices This policy setting specifies whether Windows apps can access trusted devices. text/plain LetAppsAccessTrustedDevices_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. text/plain LetAppsAccessTrustedDevices_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. text/plain LetAppsAccessTrustedDevices_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. text/plain LetAppsActivateWithVoice This policy setting specifies whether Windows apps can be activated by voice. text/plain LetAppsActivateWithVoiceAboveLock This policy setting specifies whether Windows apps can be activated by voice while the system is locked. text/plain LetAppsGetDiagnosticInfo This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names. text/plain LetAppsGetDiagnosticInfo_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. text/plain LetAppsGetDiagnosticInfo_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. text/plain LetAppsGetDiagnosticInfo_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. text/plain LetAppsRunInBackground This policy setting specifies whether Windows apps can run in the background. text/plain LetAppsRunInBackground_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. text/plain LetAppsRunInBackground_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. text/plain LetAppsRunInBackground_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. text/plain LetAppsSyncWithDevices This policy setting specifies whether Windows apps can communicate with unpaired wireless devices. text/plain LetAppsSyncWithDevices_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. text/plain LetAppsSyncWithDevices_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. text/plain LetAppsSyncWithDevices_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. text/plain PublishUserActivities Allows apps/system to publish 'User Activities' into ActivityFeed. text/plain UploadUserActivities Allows ActivityFeed to upload published 'User Activities'. text/plain RemoteAssistance CustomizeWarningMessages text/plain SessionLogging text/plain SolicitedRemoteAssistance text/plain UnsolicitedRemoteAssistance text/plain RemoteDesktopServices AllowUsersToConnectRemotely text/plain ClientConnectionEncryptionLevel text/plain DoNotAllowDriveRedirection text/plain DoNotAllowPasswordSaving text/plain PromptForPasswordUponConnection text/plain RequireSecureRPCCommunication text/plain RemoteManagement AllowBasicAuthentication_Client text/plain AllowBasicAuthentication_Service text/plain AllowCredSSPAuthenticationClient text/plain AllowCredSSPAuthenticationService text/plain AllowRemoteServerManagement text/plain AllowUnencryptedTraffic_Client text/plain AllowUnencryptedTraffic_Service text/plain DisallowDigestAuthentication text/plain DisallowNegotiateAuthenticationClient text/plain DisallowNegotiateAuthenticationService text/plain DisallowStoringOfRunAsCredentials text/plain SpecifyChannelBindingTokenHardeningLevel text/plain TrustedHosts text/plain TurnOnCompatibilityHTTPListener text/plain TurnOnCompatibilityHTTPSListener text/plain RemoteProcedureCall RestrictUnauthenticatedRPCClients text/plain RPCEndpointMapperClientAuthentication text/plain RemoteShell AllowRemoteShellAccess text/plain MaxConcurrentUsers text/plain SpecifyIdleTimeout text/plain SpecifyMaxMemory text/plain SpecifyMaxProcesses text/plain SpecifyMaxRemoteShells text/plain SpecifyShellTimeout text/plain RestrictedGroups ConfigureGroupMembership This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. text/plain Search AllowCloudSearch text/plain AllowCortanaInAAD This features allows you to show the cortana opt-in page during Windows Setup text/plain AllowFindMyFiles This feature allows you to disable find my files completely on the machine text/plain AllowIndexingEncryptedStoresOrItems text/plain AllowSearchToUseLocation text/plain AllowStoringImagesFromVisionSearch text/plain AllowUsingDiacritics text/plain AllowWindowsIndexer text/plain AlwaysUseAutoLangDetection text/plain DisableBackoff text/plain DisableRemovableDriveIndexing text/plain DoNotUseWebResults text/plain PreventIndexingLowDiskSpaceMB text/plain PreventRemoteQueries text/plain SafeSearchPermissions text/plain Security AllowAddProvisioningPackage text/plain AllowManualRootCertificateInstallation text/plain AllowRemoveProvisioningPackage text/plain AntiTheftMode text/plain ClearTPMIfNotReady text/plain ConfigureWindowsPasswords Configures the use of passwords for Windows features text/plain PreventAutomaticDeviceEncryptionForAzureADJoinedDevices text/plain RecoveryEnvironmentAuthentication This policy controls the requirement of Admin Authentication in RecoveryEnvironment. text/plain RequireDeviceEncryption text/plain RequireProvisioningPackageSignature text/plain RequireRetrieveHealthCertificateOnBoot text/plain ServiceControlManager SvchostProcessMitigation text/plain Settings AllowAutoPlay text/plain AllowDataSense text/plain AllowDateTime text/plain AllowEditDeviceName text/plain AllowLanguage text/plain AllowOnlineTips text/plain AllowPowerSleep text/plain AllowRegion text/plain AllowSignInOptions text/plain AllowVPN text/plain AllowWorkplace text/plain AllowYourAccount text/plain PageVisibilityList text/plain SmartScreen EnableAppInstallControl text/plain EnableSmartScreenInShell text/plain PreventOverrideForFilesInShell text/plain Speech AllowSpeechModelUpdate text/plain Start AllowPinnedFolderDocuments This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain AllowPinnedFolderDownloads This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain AllowPinnedFolderFileExplorer This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain AllowPinnedFolderHomeGroup This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain AllowPinnedFolderMusic This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain AllowPinnedFolderNetwork This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain AllowPinnedFolderPersonalFolder This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain AllowPinnedFolderPictures This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain AllowPinnedFolderSettings This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain AllowPinnedFolderVideos This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain DisableContextMenus Enabling this policy prevents context menus from being invoked in the Start Menu. text/plain ForceStartSize text/plain HideAppList Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. text/plain HideChangeAccountSettings Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. text/plain HideFrequentlyUsedApps Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. text/plain HideHibernate Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. text/plain HideLock Enabling this policy hides "Lock" from appearing in the user tile in the start menu. text/plain HidePowerButton Enabling this policy hides the power button from appearing in the start menu. text/plain HideRecentJumplists Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. text/plain HideRecentlyAddedApps Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. text/plain HideRestart Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. text/plain HideShutDown Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. text/plain HideSignOut Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. text/plain HideSleep Enabling this policy hides "Sleep" from appearing in the power button in the start menu. text/plain HideSwitchAccount Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. text/plain HideUserTile Enabling this policy hides the user tile from appearing in the start menu. text/plain ImportEdgeAssets This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified. text/plain NoPinningToTaskbar This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. text/plain StartLayout text/plain Storage AllowDiskHealthModelUpdates text/plain AllowStorageSenseGlobal text/plain AllowStorageSenseTemporaryFilesCleanup text/plain ConfigStorageSenseCloudContentDehydrationThreshold text/plain ConfigStorageSenseDownloadsCleanupThreshold text/plain ConfigStorageSenseGlobalCadence text/plain ConfigStorageSenseRecycleBinCleanupThreshold text/plain EnhancedStorageDevices text/plain RemovableDiskDenyWriteAccess If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." text/plain System AllowBuildPreview text/plain AllowCommercialDataPipeline text/plain AllowDeviceNameInDiagnosticData This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. text/plain AllowEmbeddedMode text/plain AllowExperimentation text/plain AllowFontProviders text/plain AllowLocation text/plain AllowStorageCard text/plain AllowTelemetry text/plain AllowUserToResetPhone text/plain BootStartDriverInitialization text/plain ConfigureMicrosoft365UploadEndpoint text/plain ConfigureTelemetryOptInChangeNotification text/plain ConfigureTelemetryOptInSettingsUx text/plain DisableDeviceDelete text/plain DisableDiagnosticDataViewer text/plain DisableDirectXDatabaseUpdate This group policy allows control over whether the DirectX Database Updater task will be run on the system. text/plain DisableEnterpriseAuthProxy This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. text/plain DisableOneDriveFileSync This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. text/plain DisableSystemRestore text/plain FeedbackHubAlwaysSaveDiagnosticsLocally Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally. text/plain LimitEnhancedDiagnosticDataWindowsAnalytics This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. text/plain TelemetryProxy text/plain TurnOffFileHistory This policy setting allows you to turn off File History. If you enable this policy setting, File History cannot be activated to create regular, automatic backups. If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. text/plain SystemServices ConfigureHomeGroupListenerServiceStartupMode This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. text/plain ConfigureHomeGroupProviderServiceStartupMode This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. text/plain ConfigureXboxAccessoryManagementServiceStartupMode This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. text/plain ConfigureXboxLiveAuthManagerServiceStartupMode This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. text/plain ConfigureXboxLiveGameSaveServiceStartupMode This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. text/plain ConfigureXboxLiveNetworkingServiceStartupMode This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. text/plain TaskManager AllowEndTask This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled text/plain TaskScheduler EnableXboxGameSaveTask This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled. text/plain TextInput AllowHardwareKeyboardTextSuggestions text/plain AllowIMELogging text/plain AllowIMENetworkAccess text/plain AllowInputPanel text/plain AllowJapaneseIMESurrogatePairCharacters text/plain AllowJapaneseIVSCharacters text/plain AllowJapaneseNonPublishingStandardGlyph text/plain AllowJapaneseUserDictionary text/plain AllowKeyboardTextSuggestions text/plain AllowLanguageFeaturesUninstall text/plain AllowLinguisticDataCollection text/plain EnableTouchKeyboardAutoInvokeInDesktopMode text/plain ExcludeJapaneseIMEExceptJIS0208 text/plain ExcludeJapaneseIMEExceptJIS0208andEUDC text/plain ExcludeJapaneseIMEExceptShiftJIS text/plain ForceTouchKeyboardDockedState text/plain TouchKeyboardDictationButtonAvailability text/plain TouchKeyboardEmojiButtonAvailability text/plain TouchKeyboardFullModeAvailability text/plain TouchKeyboardHandwritingModeAvailability text/plain TouchKeyboardNarrowModeAvailability text/plain TouchKeyboardSplitModeAvailability text/plain TouchKeyboardWideModeAvailability text/plain TimeLanguageSettings AllowSet24HourClock text/plain ConfigureTimeZone Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. text/plain Troubleshooting AllowRecommendations This policy setting applies recommended troubleshooting for known problems on the device and lets administrators configure how it's applied to their domains/IT environments. Not configuring this policy setting will allow the user to configure if and how recommended troubleshooting is applied. Enabling this policy allows you to configure how recommended troubleshooting is applied on the user's device. You can select from one of the following values: 0 = Turn this feature off. 1 = Turn this feature off but still apply critical troubleshooting. 2 = Notify users when recommended troubleshooting is available, then allow the user to run or ignore it. 3 = Run recommended troubleshooting automatically and notify the user after it's been successfully run. 4 = Run recommended troubleshooting automatically without notifying the user. 5 = Allow the user to choose their own recommended troubleshooting settings. text/plain Update ActiveHoursEnd text/plain ActiveHoursMaxRange text/plain ActiveHoursStart text/plain AllowAutoUpdate text/plain AllowAutoWindowsUpdateDownloadOverMeteredNetwork text/plain AllowMUUpdateService text/plain AllowNonMicrosoftSignedUpdate text/plain AllowUpdateService text/plain AutomaticMaintenanceWakeUp This policy setting allows you to configure Automatic Maintenance wake up policy. The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. text/plain AutoRestartDeadlinePeriodInDays text/plain AutoRestartDeadlinePeriodInDaysForFeatureUpdates text/plain AutoRestartNotificationSchedule text/plain AutoRestartRequiredNotificationDismissal text/plain BranchReadinessLevel text/plain ConfigureDeadlineForFeatureUpdates text/plain ConfigureDeadlineForQualityUpdates text/plain ConfigureDeadlineGracePeriod text/plain ConfigureDeadlineNoAutoReboot text/plain ConfigureFeatureUpdateUninstallPeriod Enable enterprises/IT admin to configure feature update uninstall period text/plain DeferFeatureUpdatesPeriodInDays text/plain DeferQualityUpdatesPeriodInDays text/plain DeferUpdatePeriod text/plain DeferUpgradePeriod text/plain DetectionFrequency text/plain DisableDualScan Do not allow update deferral policies to cause scans against Windows Update text/plain EngagedRestartDeadline text/plain EngagedRestartDeadlineForFeatureUpdates text/plain EngagedRestartSnoozeSchedule text/plain EngagedRestartSnoozeScheduleForFeatureUpdates text/plain EngagedRestartTransitionSchedule text/plain EngagedRestartTransitionScheduleForFeatureUpdates text/plain ExcludeWUDriversInQualityUpdate text/plain FillEmptyContentUrls text/plain IgnoreMOAppDownloadLimit text/plain IgnoreMOUpdateDownloadLimit text/plain ManagePreviewBuilds text/plain PauseDeferrals text/plain PauseFeatureUpdates text/plain PauseFeatureUpdatesStartTime text/plain PauseQualityUpdates text/plain PauseQualityUpdatesStartTime text/plain PhoneUpdateRestrictions text/plain RequireDeferUpgrade text/plain RequireUpdateApproval text/plain ScheduledInstallDay text/plain ScheduledInstallEveryWeek text/plain ScheduledInstallFirstWeek text/plain ScheduledInstallFourthWeek text/plain ScheduledInstallSecondWeek text/plain ScheduledInstallThirdWeek text/plain ScheduledInstallTime text/plain ScheduleImminentRestartWarning text/plain ScheduleRestartWarning text/plain SetAutoRestartNotificationDisable text/plain SetDisablePauseUXAccess text/plain SetDisableUXWUAccess text/plain SetEDURestart text/plain UpdateNotificationLevel text/plain UpdateServiceUrl text/plain UpdateServiceUrlAlternate text/plain UserRights AccessCredentialManagerAsTrustedCaller This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. text/plain AccessFromNetwork This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. text/plain ActAsPartOfTheOperatingSystem This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. text/plain AllowLocalLogOn This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. text/plain BackupFilesAndDirectories This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users text/plain ChangeSystemTime This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. text/plain CreateGlobalObjects This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. text/plain CreatePageFile This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users text/plain CreatePermanentSharedObjects This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. text/plain CreateSymbolicLinks This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. text/plain CreateToken This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. text/plain DebugPrograms This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. text/plain DenyAccessFromNetwork This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. text/plain DenyLocalLogOn This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts. text/plain DenyRemoteDesktopServicesLogOn This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client. text/plain EnableDelegation This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. text/plain GenerateSecurityAudits This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled. text/plain ImpersonateClient Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that is being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. text/plain IncreaseSchedulingPriority This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. text/plain LoadUnloadDeviceDrivers This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. text/plain LockMemory This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). text/plain ManageAuditingAndSecurityLog This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log. text/plain ManageVolume This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. text/plain ModifyFirmwareEnvironment This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. text/plain ModifyObjectLabel This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. text/plain ProfileSingleProcess This user right determines which users can use performance monitoring tools to monitor the performance of system processes. text/plain RemoteShutdown This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. text/plain RestoreFilesAndDirectories This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. text/plain TakeOwnership This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. text/plain Wifi AllowAutoConnectToWiFiSenseHotspots text/plain AllowInternetSharing text/plain AllowManualWiFiConfiguration text/plain AllowWiFi text/plain AllowWiFiDirect text/plain WLANScanMode text/plain WindowsConnectionManager ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork text/plain WindowsDefenderSecurityCenter CompanyName text/plain DisableAccountProtectionUI text/plain DisableAppBrowserUI text/plain DisableClearTpmButton text/plain DisableDeviceSecurityUI text/plain DisableEnhancedNotifications text/plain DisableFamilyUI text/plain DisableHealthUI text/plain DisableNetworkUI text/plain DisableNotifications text/plain DisableTpmFirmwareUpdateWarning text/plain DisableVirusUI text/plain DisallowExploitProtectionOverride text/plain Email text/plain EnableCustomizedToasts text/plain EnableInAppCustomization text/plain HideRansomwareDataRecovery text/plain HideSecureBoot text/plain HideTPMTroubleshooting text/plain HideWindowsSecurityNotificationAreaControl text/plain Phone text/plain URL text/plain WindowsInkWorkspace AllowSuggestedAppsInWindowsInkWorkspace text/plain AllowWindowsInkWorkspace text/plain WindowsLogon AllowAutomaticRestartSignOn text/plain ConfigAutomaticRestartSignOn text/plain DisableLockScreenAppNotifications text/plain DontDisplayNetworkSelectionUI text/plain EnableFirstLogonAnimation This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. Note: The first sign-in animation will not be shown on Server, so this policy will have no effect. text/plain EnumerateLocalUsersOnDomainJoinedComputers text/plain HideFastUserSwitching This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. text/plain WindowsPowerShell TurnOnPowerShellScriptBlockLogging text/plain WirelessDisplay AllowMdnsAdvertisement This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. text/plain AllowMdnsDiscovery This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. text/plain AllowProjectionFromPC This policy allows you to turn off projection from a PC. If you set it to 0, your PC cannot discover or project to other devices. If you set it to 1, your PC can discover and project to other devices. text/plain AllowProjectionFromPCOverInfrastructure This policy allows you to turn off projection from a PC over infrastructure. If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. If you set it to 1, your PC can discover and project to other devices over infrastructure. text/plain AllowProjectionToPC This policy setting allows you to turn off projection to a PC If you set it to 0, your PC isn't discoverable and can't be projected to If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. text/plain AllowProjectionToPCOverInfrastructure This policy setting allows you to turn off projection to a PC over infrastructure. If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. text/plain AllowUserInputFromWirelessDisplayReceiver text/plain RequirePinForPairing This policy setting allows you to require a pin for pairing. If you set this to 0, a pin isn't required for pairing. If you set this to 1, the pairing ceremony for new devices will always require a PIN. If you set this to 2, all pairings will require PIN. text/plain Result AboveLock AllowActionCenterNotifications 1 text/plain desktop LowestValueMostSecure AllowCortanaAboveLock 1 text/plain Search.admx Search~AT~WindowsComponents~Search AllowCortanaAboveLock LowestValueMostSecure AllowToasts 1 text/plain LowestValueMostSecure Accounts AllowAddingNonMicrosoftAccountsManually 1 text/plain LowestValueMostSecure AllowMicrosoftAccountConnection 1 text/plain LowestValueMostSecure AllowMicrosoftAccountSignInAssistant 1 text/plain LastWrite DomainNamesForEmailSync text/plain LastWrite ActiveXControls ApprovedInstallationSites text/plain phone ActiveXInstallService.admx ActiveXInstallService~AT~WindowsComponents~AxInstSv ApprovedActiveXInstallSites LastWrite ApplicationDefaults DefaultAssociationsConfiguration text/plain phone WindowsExplorer.admx DefaultAssociationsConfiguration_TextBox WindowsExplorer~AT~WindowsComponents~WindowsExplorer DefaultAssociationsConfiguration LastWrite EnableAppUriHandlers 1 Enables web-to-app linking, which allows apps to be launched with a http(s) URI text/plain GroupPolicy.admx GroupPolicy~AT~System~PolicyPolicies EnableAppUriHandlers HighestValueMostSecure ApplicationManagement AllowAllTrustedApps 65535 text/plain AppxPackageManager.admx AppxPackageManager~AT~WindowsComponents~AppxDeployment AppxDeploymentAllowAllTrustedApps LowestValueMostSecure AllowAppStoreAutoUpdate 2 text/plain WindowsStore.admx WindowsStore~AT~WindowsComponents~WindowsStore DisableAutoInstall LowestValueMostSecure AllowDeveloperUnlock 65535 text/plain AppxPackageManager.admx AppxPackageManager~AT~WindowsComponents~AppxDeployment AllowDevelopmentWithoutDevLicense LowestValueMostSecure AllowGameDVR 1 text/plain phone GameDVR.admx GameDVR~AT~WindowsComponents~GAMEDVR AllowGameDVR LowestValueMostSecure AllowSharedUserAppData 0 text/plain AppxPackageManager.admx AppxPackageManager~AT~WindowsComponents~AppxDeployment AllowSharedLocalAppData LowestValueMostSecure AllowStore 1 text/plain desktop LowestValueMostSecure ApplicationRestrictions text/plain desktop LastWrite DisableStoreOriginatedApps 0 text/plain WindowsStore.admx WindowsStore~AT~WindowsComponents~WindowsStore DisableStoreApps LowestValueMostSecure LaunchAppAfterLogOn List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. text/plain LastWrite MSIAllowUserControlOverInstall 0 text/plain phone MSI.admx MSI~AT~WindowsComponents~MSI EnableUserControl HighestValueMostSecure MSIAlwaysInstallWithElevatedPrivileges 0 text/plain phone MSI.admx MSI~AT~WindowsComponents~MSI AlwaysInstallElevated HighestValueMostSecure RequirePrivateStoreOnly 0 text/plain WindowsStore.admx WindowsStore~AT~WindowsComponents~WindowsStore RequirePrivateStoreOnly HighestValueMostSecure RestrictAppDataToSystemVolume 0 text/plain AppxPackageManager.admx AppxPackageManager~AT~WindowsComponents~AppxDeployment RestrictAppDataToSystemVolume LowestValueMostSecure RestrictAppToSystemVolume 0 text/plain AppxPackageManager.admx AppxPackageManager~AT~WindowsComponents~AppxDeployment DisableDeploymentToNonSystemVolumes LowestValueMostSecure ScheduleForceRestartForUpdateFailures text/plain LastWrite ]]> AppRuntime AllowMicrosoftAccountsToBeOptional text/plain phone AppXRuntime.admx AppXRuntime~AT~WindowsComponents~AppXRuntime AppxRuntimeMicrosoftAccountsOptional LastWrite AppVirtualization AllowAppVClient text/plain phone appv.admx appv~AT~System~CAT_AppV EnableAppV LastWrite AllowDynamicVirtualization text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Virtualization Virtualization_JITVEnable LastWrite AllowPackageCleanup text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_PackageManagement PackageManagement_AutoCleanupEnable LastWrite AllowPackageScripts text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Scripting Scripting_Enable_Package_Scripts LastWrite AllowPublishingRefreshUX text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Publishing Enable_Publishing_Refresh_UX LastWrite AllowReportingServer text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Reporting Reporting_Server_Policy LastWrite AllowRoamingFileExclusions text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Integration Integration_Roaming_File_Exclusions LastWrite AllowRoamingRegistryExclusions text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Integration Integration_Roaming_Registry_Exclusions LastWrite AllowStreamingAutoload text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Steaming_Autoload LastWrite ClientCoexistenceAllowMigrationmode text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Client_Coexistence Client_Coexistence_Enable_Migration_mode LastWrite IntegrationAllowRootGlobal text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Integration Integration_Root_User LastWrite IntegrationAllowRootUser text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Integration Integration_Root_Global LastWrite PublishingAllowServer1 text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Publishing Publishing_Server1_Policy LastWrite PublishingAllowServer2 text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Publishing Publishing_Server2_Policy LastWrite PublishingAllowServer3 text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Publishing Publishing_Server3_Policy LastWrite PublishingAllowServer4 text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Publishing Publishing_Server4_Policy LastWrite PublishingAllowServer5 text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Publishing Publishing_Server5_Policy LastWrite StreamingAllowCertificateFilterForClient_SSL text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Certificate_Filter_For_Client_SSL LastWrite StreamingAllowHighCostLaunch text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Allow_High_Cost_Launch LastWrite StreamingAllowLocationProvider text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Location_Provider LastWrite StreamingAllowPackageInstallationRoot text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Package_Installation_Root LastWrite StreamingAllowPackageSourceRoot text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Package_Source_Root LastWrite StreamingAllowReestablishmentInterval text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Reestablishment_Interval LastWrite StreamingAllowReestablishmentRetries text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Reestablishment_Retries LastWrite StreamingSharedContentStoreMode text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Shared_Content_Store_Mode LastWrite StreamingSupportBranchCache text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Support_Branch_Cache LastWrite StreamingVerifyCertificateRevocationList text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Verify_Certificate_Revocation_List LastWrite VirtualComponentsAllowList text/plain phone appv.admx appv~AT~System~CAT_AppV~CAT_Virtualization Virtualization_JITVAllowList LastWrite Authentication AllowAadPasswordReset 0 Specifies whether password reset is enabled for AAD accounts. text/plain phone LowestValueMostSecure AllowFastReconnect 1 text/plain LowestValueMostSecure AllowSecondaryAuthenticationDevice 0 text/plain DeviceCredential.admx DeviceCredential~AT~WindowsComponents~MSSecondaryAuthFactorCategory MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice LowestValueMostSecure ConfigureWebcamAccessDomainNames Specifies a list of domains that are allowed to access the webcam in CXH-based authentication scenarios. text/plain LastWrite ; EnableFastFirstSignIn 0 Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts text/plain phone LastWrite EnableWebSignIn 0 Specifies whether web-based sign in is allowed for logging in to Windows text/plain phone LastWrite PreferredAadTenantDomainName Specifies the preferred domain among available domains in the AAD tenant. text/plain LastWrite Autoplay DisallowAutoplayForNonVolumeDevices text/plain phone AutoPlay.admx AutoPlay~AT~WindowsComponents~AutoPlay NoAutoplayfornonVolume LastWrite SetDefaultAutoRunBehavior text/plain phone AutoPlay.admx AutoPlay~AT~WindowsComponents~AutoPlay NoAutorun LastWrite TurnOffAutoPlay text/plain phone AutoPlay.admx AutoPlay~AT~WindowsComponents~AutoPlay Autorun LastWrite Bitlocker EncryptionMethod 6 text/plain LastWrite BITS BandwidthThrottlingEndTime 17 text/plain Bits.admx BITS_BandwidthLimitSchedTo Bits~AT~Network~BITS BITS_MaxBandwidth LastWrite BandwidthThrottlingStartTime 8 text/plain Bits.admx BITS_BandwidthLimitSchedFrom Bits~AT~Network~BITS BITS_MaxBandwidth LastWrite BandwidthThrottlingTransferRate 1000 text/plain Bits.admx BITS_MaxTransferRateText Bits~AT~Network~BITS BITS_MaxBandwidth LastWrite CostedNetworkBehaviorBackgroundPriority 1 text/plain Bits.admx BITS_TransferPolicyNormalPriorityValue Bits~AT~Network~BITS BITS_SetTransferPolicyOnCostedNetwork LastWrite CostedNetworkBehaviorForegroundPriority 1 text/plain Bits.admx BITS_TransferPolicyForegroundPriorityValue Bits~AT~Network~BITS BITS_SetTransferPolicyOnCostedNetwork LastWrite JobInactivityTimeout 90 text/plain Bits.admx BITS_Job_Timeout_Time Bits~AT~Network~BITS BITS_Job_Timeout LastWrite Bluetooth AllowAdvertising 1 text/plain LowestValueMostSecure AllowDiscoverableMode 1 text/plain LowestValueMostSecure AllowPrepairing 1 text/plain LowestValueMostSecure AllowPromptedProximalConnections 1 text/plain LowestValueMostSecure LocalDeviceName text/plain LastWrite ServicesAllowedList text/plain LastWrite Browser AllowAddressBarDropdown 1 This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowAddressBarDropdown LowestValueMostSecure AllowAutofill 0 This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowAutofill LowestValueMostSecure AllowBrowser 1 text/plain desktop LowestValueMostSecure AllowConfigurationUpdateForBooksLibrary 1 This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. text/plain LowestValueMostSecure AllowCookies 2 This setting lets you configure how your company deals with cookies. text/plain MicrosoftEdge.admx CookiesListBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge Cookies LowestValueMostSecure AllowDeveloperTools 1 This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowDeveloperTools LowestValueMostSecure AllowDoNotTrack 0 This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowDoNotTrack LowestValueMostSecure AllowExtensions 1 This setting lets you decide whether employees can load extensions in Microsoft Edge. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowExtensions LowestValueMostSecure AllowFlash 1 This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowFlash HighestValueMostSecure AllowFlashClickToRun 1 Configure the Adobe Flash Click-to-Run setting. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowFlashClickToRun HighestValueMostSecure AllowFullScreenMode 1 With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. If disabled, full-screen mode is unavailable for use in Microsoft Edge. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowFullScreenMode LowestValueMostSecure AllowInPrivate 1 This setting lets you decide whether employees can browse using InPrivate website browsing. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowInPrivate LowestValueMostSecure AllowMicrosoftCompatibilityList 1 This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowCVList LowestValueMostSecure AllowPasswordManager 1 This setting lets you decide whether employees can save their passwords locally, using Password Manager. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowPasswordManager LowestValueMostSecure AllowPopups 0 This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowPopups LowestValueMostSecure AllowPrelaunch 1 Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowPrelaunch LowestValueMostSecure AllowPrinting 1 With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. If enabled, printing is allowed. If disabled, printing is not allowed. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowPrinting LowestValueMostSecure AllowSavingHistory 1 Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. If enabled or not configured, the browsing history is saved and visible in the History pane. If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowSavingHistory LowestValueMostSecure AllowSearchEngineCustomization 1 Allow search engine customization for MDM enrolled devices. Users can change their default search engine. If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowSearchEngineCustomization LowestValueMostSecure AllowSearchSuggestionsinAddressBar 1 This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowSearchSuggestionsinAddressBar LowestValueMostSecure AllowSideloadingOfExtensions 1 This setting lets you decide whether employees can sideload extensions in Microsoft Edge. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowSideloadingOfExtensions LowestValueMostSecure AllowSmartScreen 1 This setting lets you decide whether to turn on Windows Defender SmartScreen. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowSmartScreen LowestValueMostSecure AllowTabPreloading 1 Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowTabPreloading LowestValueMostSecure AllowWebContentOnNewTabPage 1 This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. If you don't configure this setting, employees can choose how new tabs appears. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowWebContentOnNewTabPage LowestValueMostSecure AlwaysEnableBooksLibrary 0 Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AlwaysEnableBooksLibrary LowestValueMostSecure ClearBrowsingDataOnExit 0 Specifies whether to always clear browsing history on exiting Microsoft Edge. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge AllowClearingBrowsingDataOnExit LowestValueMostSecure ConfigureAdditionalSearchEngines Allows you to add up to 5 additional search engines for MDM-enrolled devices. If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain MicrosoftEdge.admx ConfigureAdditionalSearchEngines_Prompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfigureAdditionalSearchEngines LastWrite ConfigureFavoritesBar 0 The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfigureFavoritesBar LowestValueMostSecure ConfigureHomeButton 0 The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. By default, this policy is disabled or not configured and clicking the home button loads the default Start page. When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. If Enabled AND: - Show home button & set to Start page is selected, clicking the home button loads the Start page. - Show home button & set to New tab page is selected, clicking the home button loads a New tab page. - Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. - Hide home button is selected, the home button is hidden in Microsoft Edge. Default setting: Disabled or not configured Related policies: - Set Home Button URL - Unlock Home Button text/plain phone MicrosoftEdge.admx ConfigureHomeButtonDropdown MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfigureHomeButton LastWrite ConfigureKioskMode 0 Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). If enabled and set to 0 (Default or not configured): - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it’s one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. text/plain phone MicrosoftEdge.admx ConfigureKioskMode_TextBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfigureKioskMode LastWrite ConfigureKioskResetAfterIdleTimeout 5 You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. If you set this policy to 0, Microsoft Edge does not use an idle timer. If disabled or not configured, the default value is 5 minutes. If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. text/plain phone MicrosoftEdge.admx ConfigureKioskResetAfterIdleTimeout_TextBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfigureKioskResetAfterIdleTimeout LastWrite ConfigureOpenMicrosoftEdgeWith 3 You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. If enabled, you can choose one of the following options: - Start page: the Start page loads ignoring the Configure Start Pages policy. - New tab page: the New tab page loads ignoring the Configure Start Pages policy. - Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. - A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. Default setting: A specific page or pages (default) Related policies: -Disable Lockdown of Start Pages -Configure Start Pages text/plain phone MicrosoftEdge.admx ConfigureOpenEdgeWithListBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfigureOpenEdgeWith LastWrite ConfigureTelemetryForMicrosoft365Analytics 0 Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. text/plain MicrosoftEdge.admx ZonesListBox MicrosoftEdge~AT~WindowsComponents~DataCollectionAndPreviewBuilds ConfigureTelemetryForMicrosoft365Analytics LowestValueMostSecure DisableLockdownOfStartPages 0 You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Start Pages - Configure Open Microsoft Edge With text/plain phone MicrosoftEdge.admx DisableLockdownOfStartPagesListBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge DisableLockdownOfStartPages LowestValueMostSecure EnableExtendedBooksTelemetry 0 This setting allows organizations to send extended telemetry on book usage from the Books Library. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge EnableExtendedBooksTelemetry LowestValueMostSecure EnterpriseModeSiteList This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. text/plain phone MicrosoftEdge.admx EnterSiteListPrompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge EnterpriseModeSiteList LastWrite EnterpriseSiteListServiceUrl text/plain phone LastWrite FirstRunURL Configure first run URL. text/plain desktop LastWrite HomePages When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: <support.contoso.com><support.microsoft.com> If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages text/plain phone MicrosoftEdge.admx HomePagesPrompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge HomePages LastWrite LockdownFavorites 0 This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge LockdownFavorites LowestValueMostSecure PreventAccessToAboutFlagsInMicrosoftEdge 0 Prevent access to the about:flags page in Microsoft Edge. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventAccessToAboutFlagsInMicrosoftEdge HighestValueMostSecure PreventCertErrorOverrides 0 Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. If enabled, overriding certificate errors are not allowed. If disabled or not configured, overriding certificate errors are allowed. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventCertErrorOverrides HighestValueMostSecure PreventFirstRunPage 0 Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventFirstRunPage HighestValueMostSecure PreventLiveTileDataCollection 0 This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventLiveTileDataCollection HighestValueMostSecure PreventSmartScreenPromptOverride 0 Don't allow Windows Defender SmartScreen warning overrides text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventSmartScreenPromptOverride HighestValueMostSecure PreventSmartScreenPromptOverrideForFiles 0 Don't allow Windows Defender SmartScreen warning overrides for unverified files. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventSmartScreenPromptOverrideForFiles HighestValueMostSecure PreventTurningOffRequiredExtensions You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) - How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) - Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) text/plain phone MicrosoftEdge.admx PreventTurningOffRequiredExtensions_Prompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge PreventTurningOffRequiredExtensions LastWrite PreventUsingLocalHostIPAddressForWebRTC 0 Prevent using localhost IP address for WebRTC text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge HideLocalHostIPAddress HighestValueMostSecure ProvisionFavorites This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. text/plain MicrosoftEdge.admx ConfiguredFavoritesPrompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ConfiguredFavorites LastWrite SendIntranetTraffictoInternetExplorer 0 Sends all intranet traffic over to Internet Explorer. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge SendIntranetTraffictoInternetExplorer HighestValueMostSecure SetDefaultSearchEngine Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. text/plain MicrosoftEdge.admx SetDefaultSearchEngine_Prompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge SetDefaultSearchEngine LastWrite SetHomeButtonURL The home button can be configured to load a custom URL when your user clicks the home button. If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. Default setting: Blank or not configured Related policy: Configure Home Button text/plain phone MicrosoftEdge.admx SetHomeButtonURLPrompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge SetHomeButtonURL LastWrite SetNewTabPageURL You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. If enabled, you can set the default New Tab page URL. If disabled or not configured, the default Microsoft Edge new tab page is used. Default setting: Disabled or not configured Related policy: Allow web content on New Tab page text/plain phone MicrosoftEdge.admx SetNewTabPageURLPrompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge SetNewTabPageURL LastWrite ShowMessageWhenOpeningSitesInInternetExplorer 0 You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. If disabled or not configured, the default app behavior occurs and no additional page displays. Default setting: Disabled or not configured Related policies: -Configure the Enterprise Mode Site List -Send all intranet sites to Internet Explorer 11 text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge ShowMessageWhenOpeningSitesInInternetExplorer HighestValueMostSecure SyncFavoritesBetweenIEAndMicrosoftEdge 0 Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge SyncFavoritesBetweenIEAndMicrosoftEdge LowestValueMostSecure UnlockHomeButton 0 By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. Default setting: Disabled or not configured Related policy: -Configure Home Button -Set Home Button URL text/plain phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge UnlockHomeButton LowestValueMostSecure UseSharedFolderForBooks 0 This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. text/plain MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge UseSharedFolderForBooks LowestValueMostSecure Camera AllowCamera 1 text/plain Camera.admx Camera~AT~WindowsComponents~L_Camera_GroupPolicyCategory L_AllowCamera LowestValueMostSecure Cellular LetAppsAccessCellularData 0 This policy setting specifies whether Windows apps can access cellular data. text/plain wwansvc.admx LetAppsAccessCellularData_Enum wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess LetAppsAccessCellularData HighestValueMostSecure LetAppsAccessCellularData_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. text/plain wwansvc.admx LetAppsAccessCellularData_ForceAllowTheseApps_List wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess LetAppsAccessCellularData LastWrite ; LetAppsAccessCellularData_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. text/plain wwansvc.admx LetAppsAccessCellularData_ForceDenyTheseApps_List wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess LetAppsAccessCellularData LastWrite ; LetAppsAccessCellularData_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. text/plain wwansvc.admx LetAppsAccessCellularData_UserInControlOfTheseApps_List wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess LetAppsAccessCellularData LastWrite ; ShowAppCellularAccessUI text/plain wwansvc.admx wwansvc~AT~Network~WwanSvc_Category~UISettings_Category ShowAppCellularAccessUI LastWrite Connectivity AllowBluetooth 2 text/plain LowestValueMostSecure AllowCellularData 1 text/plain LowestValueMostSecure AllowCellularDataRoaming 1 text/plain WCM.admx WCM~AT~Network~WCM_Category WCM_DisableRoaming LowestValueMostSecure AllowConnectedDevices 1 text/plain LowestValueMostSecure AllowNFC 1 text/plain desktop LowestValueMostSecure AllowPhonePCLinking 1 text/plain grouppolicy.admx grouppolicy~AT~System~PolicyPolicies enableMMX LowestValueMostSecure AllowUSBConnection 1 text/plain desktop LowestValueMostSecure AllowVPNOverCellular 1 text/plain LowestValueMostSecure AllowVPNRoamingOverCellular 1 text/plain LowestValueMostSecure DiablePrintingOverHTTP text/plain phone ICM.admx ICM~AT~System~InternetManagement~InternetManagement_Settings DisableHTTPPrinting_2 LastWrite DisableDownloadingOfPrintDriversOverHTTP text/plain phone ICM.admx ICM~AT~System~InternetManagement~InternetManagement_Settings DisableWebPnPDownload_2 LastWrite DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards text/plain phone ICM.admx ICM~AT~System~InternetManagement~InternetManagement_Settings ShellPreventWPWDownload_2 LastWrite DisallowNetworkConnectivityActiveTests 0 text/plain ICM.admx ICM~AT~System~InternetManagement~InternetManagement_Settings NoActiveProbe HighestValueMostSecure HardenedUNCPaths text/plain phone networkprovider.admx NetworkProvider~AT~Network~Cat_NetworkProvider Pol_HardenedPaths LastWrite ProhibitInstallationAndConfigurationOfNetworkBridge text/plain phone NetworkConnections.admx NetworkConnections~AT~Network~NetworkConnections NC_AllowNetBridge_NLA LastWrite ControlPolicyConflict MDMWinsOverGP 0 If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. text/plain LastWrite CredentialProviders AllowPINLogon text/plain phone credentialproviders.admx CredentialProviders~AT~System~Logon AllowDomainPINLogon LastWrite BlockPicturePassword text/plain phone credentialproviders.admx CredentialProviders~AT~System~Logon BlockDomainPicturePassword LastWrite DisableAutomaticReDeploymentCredentials 1 text/plain HighestValueMostSecure CredentialsDelegation RemoteHostAllowsDelegationOfNonExportableCredentials text/plain phone CredSsp.admx CredSsp~AT~System~CredentialsDelegation AllowProtectedCreds LastWrite CredentialsUI DisablePasswordReveal text/plain phone credui.admx CredUI~AT~WindowsComponents~CredUI DisablePasswordReveal LastWrite EnumerateAdministrators text/plain phone credui.admx CredUI~AT~WindowsComponents~CredUI EnumerateAdministrators LastWrite Cryptography AllowFipsAlgorithmPolicy 0 text/plain Windows Settings~Security Settings~Local Policies~Security Options System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing LastWrite TLSCipherSuites text/plain LastWrite DataProtection AllowDirectMemoryAccess 1 text/plain LowestValueMostSecure LegacySelectiveWipeID text/plain LastWrite DataUsage SetCost3G text/plain wwansvc.admx wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category SetCost3G LastWrite SetCost4G text/plain wwansvc.admx wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category SetCost4G LastWrite Defender AllowArchiveScanning 1 text/plain phone WindowsDefender.admx WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan Scan_DisableArchiveScanning HighestValueMostSecure AllowBehaviorMonitoring 1 text/plain phone WindowsDefender.admx WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection RealtimeProtection_DisableBehaviorMonitoring HighestValueMostSecure AllowCloudProtection 1 text/plain phone WindowsDefender.admx SpynetReporting WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet SpynetReporting HighestValueMostSecure AllowEmailScanning 0 text/plain phone WindowsDefender.admx WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan Scan_DisableEmailScanning HighestValueMostSecure AllowFullScanOnMappedNetworkDrives 0 text/plain phone WindowsDefender.admx WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan Scan_DisableScanningMappedNetworkDrivesForFullScan HighestValueMostSecure AllowFullScanRemovableDriveScanning 1 text/plain phone WindowsDefender.admx WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan Scan_DisableRemovableDriveScanning HighestValueMostSecure AllowIntrusionPreventionSystem 1 text/plain phone HighestValueMostSecure AllowIOAVProtection 1 text/plain phone WindowsDefender.admx WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection RealtimeProtection_DisableIOAVProtection HighestValueMostSecure AllowOnAccessProtection 1 text/plain phone WindowsDefender.admx WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection RealtimeProtection_DisableOnAccessProtection HighestValueMostSecure AllowRealtimeMonitoring 1 text/plain phone WindowsDefender.admx WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection DisableRealtimeMonitoring HighestValueMostSecure AllowScanningNetworkFiles 0 text/plain phone WindowsDefender.admx WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan Scan_DisableScanningNetworkFiles HighestValueMostSecure AllowScriptScanning 1 text/plain phone HighestValueMostSecure AllowUserUIAccess 1 text/plain phone WindowsDefender.admx WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ClientInterface UX_Configuration_UILockdown LastWrite AttackSurfaceReductionOnlyExclusions text/plain phone WindowsDefender.admx ExploitGuard_ASR_ASROnlyExclusions WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR ExploitGuard_ASR_ASROnlyExclusions LastWrite AttackSurfaceReductionRules text/plain phone WindowsDefender.admx ExploitGuard_ASR_Rules WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR ExploitGuard_ASR_Rules LastWrite AvgCPULoadFactor 50 text/plain phone WindowsDefender.admx Scan_AvgCPULoadFactor WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan Scan_AvgCPULoadFactor LastWrite CheckForSignaturesBeforeRunningScan 0 text/plain phone WindowsDefender.admx CheckForSignaturesBeforeRunningScan WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan CheckForSignaturesBeforeRunningScan HighestValueMostSecure CloudBlockLevel 0 text/plain phone WindowsDefender.admx MpCloudBlockLevel WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine MpEngine_MpCloudBlockLevel LastWrite CloudExtendedTimeout 0 text/plain phone WindowsDefender.admx MpBafsExtendedTimeout WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine MpEngine_MpBafsExtendedTimeout LastWrite ControlledFolderAccessAllowedApplications text/plain phone WindowsDefender.admx ExploitGuard_ControlledFolderAccess_AllowedApplications WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess ExploitGuard_ControlledFolderAccess_AllowedApplications LastWrite ControlledFolderAccessProtectedFolders text/plain phone WindowsDefender.admx ExploitGuard_ControlledFolderAccess_ProtectedFolders WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess ExploitGuard_ControlledFolderAccess_ProtectedFolders LastWrite DaysToRetainCleanedMalware 0 text/plain phone WindowsDefender.admx Quarantine_PurgeItemsAfterDelay WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Quarantine Quarantine_PurgeItemsAfterDelay LastWrite DisableCatchupFullScan 1 text/plain phone WindowsDefender.admx Scan_DisableCatchupFullScan WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan Scan_DisableCatchupFullScan LastWrite DisableCatchupQuickScan 1 text/plain phone WindowsDefender.admx Scan_DisableCatchupQuickScan WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan Scan_DisableCatchupQuickScan LastWrite EnableControlledFolderAccess 0 text/plain phone WindowsDefender.admx ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess LastWrite EnableLowCPUPriority 0 text/plain phone WindowsDefender.admx Scan_LowCpuPriority WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan Scan_LowCpuPriority LastWrite EnableNetworkProtection 0 text/plain phone WindowsDefender.admx ExploitGuard_EnableNetworkProtection WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_NetworkProtection ExploitGuard_EnableNetworkProtection LastWrite ExcludedExtensions text/plain phone WindowsDefender.admx Exclusions_PathsList WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions Exclusions_Paths LastWrite ExcludedPaths text/plain phone WindowsDefender.admx Exclusions_ExtensionsList WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions Exclusions_Extensions LastWrite ExcludedProcesses text/plain phone WindowsDefender.admx Exclusions_ProcessesList WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions Exclusions_Processes LastWrite PUAProtection 0 text/plain phone WindowsDefender.admx Root_PUAProtection WindowsDefender~AT~WindowsComponents~AntiSpywareDefender Root_PUAProtection LastWrite RealTimeScanDirection 0 text/plain phone WindowsDefender.admx RealtimeProtection_RealtimeScanDirection WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection RealtimeProtection_RealtimeScanDirection LowestValueMostSecure ScanParameter 1 text/plain phone WindowsDefender.admx Scan_ScanParameters WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan Scan_ScanParameters LastWrite ScheduleQuickScanTime 120 text/plain phone WindowsDefender.admx Scan_ScheduleQuickScantime WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan Scan_ScheduleQuickScantime LastWrite ScheduleScanDay 0 text/plain phone WindowsDefender.admx Scan_ScheduleDay WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan Scan_ScheduleDay LastWrite ScheduleScanTime 120 text/plain phone WindowsDefender.admx Scan_ScheduleTime WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan Scan_ScheduleTime LastWrite SecurityIntelligenceLocation text/plain phone WindowsDefender.admx SignatureUpdate_SharedSignaturesLocation WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate SignatureUpdate_SharedSignaturesLocation LastWrite SignatureUpdateFallbackOrder text/plain phone WindowsDefender.admx SignatureUpdate_FallbackOrder WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate SignatureUpdate_FallbackOrder LastWrite SignatureUpdateFileSharesSources text/plain phone WindowsDefender.admx SignatureUpdate_DefinitionUpdateFileSharesSources WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate SignatureUpdate_DefinitionUpdateFileSharesSources LastWrite SignatureUpdateInterval 8 text/plain phone WindowsDefender.admx SignatureUpdate_SignatureUpdateInterval WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate SignatureUpdate_SignatureUpdateInterval LastWrite SubmitSamplesConsent 1 text/plain phone WindowsDefender.admx SubmitSamplesConsent WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet SubmitSamplesConsent HighestValueMostSecure ThreatSeverityDefaultAction text/plain phone WindowsDefender.admx Threats_ThreatSeverityDefaultActionList WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Threats Threats_ThreatSeverityDefaultAction LastWrite DeliveryOptimization DOAbsoluteMaxCacheSize 10 text/plain DeliveryOptimization.admx AbsoluteMaxCacheSize DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat AbsoluteMaxCacheSize LastWrite DOAllowVPNPeerCaching 0 text/plain DeliveryOptimization.admx AllowVPNPeerCaching DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat AllowVPNPeerCaching LowestValueMostSecure DOCacheHost text/plain DeliveryOptimization.admx CacheHost DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat CacheHost LastWrite DODelayBackgroundDownloadFromHttp 0 text/plain DeliveryOptimization.admx DelayBackgroundDownloadFromHttp DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat DelayBackgroundDownloadFromHttp LastWrite DODelayCacheServerFallbackBackground 0 text/plain DeliveryOptimization.admx DelayCacheServerFallbackBackground DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat DelayCacheServerFallbackBackground LastWrite DODelayCacheServerFallbackForeground 0 text/plain DeliveryOptimization.admx DelayCacheServerFallbackForeground DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat DelayCacheServerFallbackForeground LastWrite DODelayForegroundDownloadFromHttp 0 text/plain DeliveryOptimization.admx DelayForegroundDownloadFromHttp DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat DelayForegroundDownloadFromHttp LastWrite DODownloadMode 1 text/plain DeliveryOptimization.admx DownloadMode DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat DownloadMode LastWrite DOGroupId text/plain DeliveryOptimization.admx GroupId DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat GroupId LastWrite DOGroupIdSource 0 text/plain DeliveryOptimization.admx GroupIdSource DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat GroupIdSource LastWrite DOMaxCacheAge 259200 text/plain DeliveryOptimization.admx MaxCacheAge DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat MaxCacheAge LastWrite DOMaxCacheSize 20 text/plain DeliveryOptimization.admx MaxCacheSize DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat MaxCacheSize LastWrite DOMaxDownloadBandwidth 0 text/plain DeliveryOptimization.admx MaxDownloadBandwidth DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat MaxDownloadBandwidth LastWrite DOMaxUploadBandwidth 0 text/plain DeliveryOptimization.admx MaxUploadBandwidth DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat MaxUploadBandwidth LastWrite DOMinBackgroundQos 500 text/plain DeliveryOptimization.admx MinBackgroundQos DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat MinBackgroundQos LastWrite DOMinBatteryPercentageAllowedToUpload 0 text/plain DeliveryOptimization.admx MinBatteryPercentageAllowedToUpload DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat MinBatteryPercentageAllowedToUpload LastWrite DOMinDiskSizeAllowedToPeer 32 text/plain DeliveryOptimization.admx MinDiskSizeAllowedToPeer DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat MinDiskSizeAllowedToPeer LastWrite DOMinFileSizeToCache 100 text/plain DeliveryOptimization.admx MinFileSizeToCache DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat MinFileSizeToCache LastWrite DOMinRAMAllowedToPeer 4 text/plain DeliveryOptimization.admx MinRAMAllowedToPeer DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat MinRAMAllowedToPeer LastWrite DOModifyCacheDrive %SystemDrive% text/plain DeliveryOptimization.admx ModifyCacheDrive DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat ModifyCacheDrive LastWrite DOMonthlyUploadDataCap 20 text/plain DeliveryOptimization.admx MonthlyUploadDataCap DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat MonthlyUploadDataCap LastWrite DOPercentageMaxBackgroundBandwidth 0 text/plain DeliveryOptimization.admx PercentageMaxBackgroundBandwidth DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat PercentageMaxBackgroundBandwidth LastWrite DOPercentageMaxDownloadBandwidth 0 text/plain phone DeliveryOptimization.admx PercentageMaxDownloadBandwidth DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat PercentageMaxDownloadBandwidth LastWrite DOPercentageMaxForegroundBandwidth 0 text/plain DeliveryOptimization.admx PercentageMaxForegroundBandwidth DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat PercentageMaxForegroundBandwidth LastWrite DORestrictPeerSelectionBy 0 text/plain DeliveryOptimization.admx RestrictPeerSelectionBy DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat RestrictPeerSelectionBy LastWrite DOSetHoursToLimitBackgroundDownloadBandwidth text/plain LastWrite ]]> DOSetHoursToLimitForegroundDownloadBandwidth text/plain LastWrite ]]> DeviceGuard ConfigureSystemGuardLaunch 0 Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. text/plain phone DeviceGuard.admx SystemGuardDrop DeviceGuard~AT~System~DeviceGuardCategory VirtualizationBasedSecurity LowestValueMostSecureZeroHasNoLimits EnableVirtualizationBasedSecurity 0 Turns On Virtualization Based Security(VBS) text/plain phone DeviceGuard.admx DeviceGuard~AT~System~DeviceGuardCategory VirtualizationBasedSecurity HighestValueMostSecure LsaCfgFlags 0 Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock. text/plain phone DeviceGuard.admx CredentialIsolationDrop DeviceGuard~AT~System~DeviceGuardCategory VirtualizationBasedSecurity LowestValueMostSecureZeroHasNoLimits RequirePlatformSecurityFeatures 1 Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support. text/plain phone DeviceGuard.admx RequirePlatformSecurityFeaturesDrop DeviceGuard~AT~System~DeviceGuardCategory VirtualizationBasedSecurity HighestValueMostSecure DeviceHealthMonitoring AllowDeviceHealthMonitoring 0 Enable/disable 4Nines device health monitoring on devices. text/plain LastWrite ConfigDeviceHealthMonitoringScope If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored. text/plain LastWrite ConfigDeviceHealthMonitoringUploadDestination If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded. text/plain LastWrite DeviceInstallation AllowInstallationOfMatchingDeviceIDs text/plain phone deviceinstallation.admx DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category DeviceInstall_IDs_Allow LastWrite AllowInstallationOfMatchingDeviceSetupClasses text/plain phone deviceinstallation.admx DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category DeviceInstall_Classes_Allow LastWrite PreventDeviceMetadataFromNetwork text/plain phone DeviceSetup.admx DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category DeviceMetadata_PreventDeviceMetadataFromNetwork LastWrite PreventInstallationOfDevicesNotDescribedByOtherPolicySettings text/plain phone deviceinstallation.admx DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category DeviceInstall_Unspecified_Deny LastWrite PreventInstallationOfMatchingDeviceIDs text/plain phone deviceinstallation.admx DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category DeviceInstall_IDs_Deny LastWrite PreventInstallationOfMatchingDeviceSetupClasses text/plain phone deviceinstallation.admx DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category DeviceInstall_Classes_Deny LastWrite DeviceLock AllowIdleReturnWithoutPassword 1 Specifies whether the user must input a PIN or password when the device resumes from an idle state. text/plain desktop LowestValueMostSecure AllowScreenTimeoutWhileLockedUserConfig 0 Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. text/plain LastWrite AllowSimpleDevicePassword 1 Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords. text/plain LowestValueMostSecure AlphanumericDevicePasswordRequired 2 Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0 text/plain LowestValueMostSecure DevicePasswordEnabled 1 Specifies whether device lock is enabled. text/plain LowestValueMostSecure DevicePasswordExpiration 0 Specifies when the password expires (in days). text/plain LowestValueMostSecureZeroHasNoLimits DevicePasswordHistory 0 Specifies how many passwords can be stored in the history that can’t be used. text/plain HighestValueMostSecure EnforceLockScreenAndLogonImage text/plain phone LastWrite EnforceLockScreenProvider text/plain LastWrite MaxDevicePasswordFailedAttempts 0 text/plain LowestValueMostSecureZeroHasNoLimits MaxInactivityTimeDeviceLock 0 The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. text/plain LowestValueMostSecureZeroHasNoLimits MaxInactivityTimeDeviceLockWithExternalDisplay 0 Sets the maximum timeout value for the external display. text/plain desktop LowestValueMostSecure MinDevicePasswordComplexCharacters 1 The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. text/plain HighestValueMostSecure MinDevicePasswordLength 4 Specifies the minimum number or characters required in the PIN or password. text/plain HighestValueMostSecureZeroHasNoLimits MinimumPasswordAge 1 This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default. text/plain phone Windows Settings~Security Settings~Account Policies~Password Policy Minimum password age HighestValueMostSecure PreventEnablingLockScreenCamera text/plain phone ControlPanelDisplay.admx ControlPanelDisplay~AT~ControlPanel~Personalization CPL_Personalization_NoLockScreenCamera LastWrite PreventLockScreenSlideShow text/plain phone ControlPanelDisplay.admx ControlPanelDisplay~AT~ControlPanel~Personalization CPL_Personalization_NoLockScreenSlideshow LastWrite ScreenTimeoutWhileLocked 10 Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. text/plain LastWrite Display DisablePerProcessDpiForApps This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. text/plain phone Display.admx DisplayDisablePerProcessSystemDpiSettings Display~AT~System~DisplayCat DisplayPerProcessSystemDpiSettings LastWrite EnablePerProcessDpi Enable or disable Per-Process System DPI for all applications. text/plain phone Display.admx DisplayGlobalPerProcessSystemDpiSettings Display~AT~System~DisplayCat DisplayPerProcessSystemDpiSettings LowestValueMostSecure EnablePerProcessDpiForApps This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. text/plain phone Display.admx DisplayEnablePerProcessSystemDpiSettings Display~AT~System~DisplayCat DisplayPerProcessSystemDpiSettings LastWrite TurnOffGdiDPIScalingForApps This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. text/plain phone Display.admx DisplayTurnOffGdiDPIScalingPrompt Display~AT~System~DisplayCat DisplayTurnOffGdiDPIScaling LastWrite TurnOnGdiDPIScalingForApps This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. text/plain phone Display.admx DisplayTurnOnGdiDPIScalingPrompt Display~AT~System~DisplayCat DisplayTurnOnGdiDPIScaling LastWrite DmaGuard DeviceEnumerationPolicy 1 text/plain dmaguard.admx dmaguard~AT~System~DmaGuard DmaGuardEnumerationPolicy LowestValueMostSecure ErrorReporting CustomizeConsentSettings text/plain phone ErrorReporting.admx ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting WerConsentCustomize_2 LastWrite DisableWindowsErrorReporting text/plain phone ErrorReporting.admx ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting WerDisable_2 LastWrite DisplayErrorNotification text/plain phone ErrorReporting.admx ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting PCH_ShowUI LastWrite DoNotSendAdditionalData text/plain phone ErrorReporting.admx ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting WerNoSecondLevelData_2 LastWrite PreventCriticalErrorDisplay text/plain phone ErrorReporting.admx ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting WerDoNotShowUI LastWrite EventLogService ControlEventLogBehavior text/plain phone eventlog.admx EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application Channel_Log_Retention_1 LastWrite SpecifyMaximumFileSizeApplicationLog text/plain phone eventlog.admx EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application Channel_LogMaxSize_1 LastWrite SpecifyMaximumFileSizeSecurityLog text/plain phone eventlog.admx EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Security Channel_LogMaxSize_2 LastWrite SpecifyMaximumFileSizeSystemLog text/plain phone eventlog.admx EventLog~AT~WindowsComponents~EventLogCategory~EventLog_System Channel_LogMaxSize_4 LastWrite Experience AllowClipboardHistory 1 Allows history of clipboard items to be stored in memory. text/plain OSPolicy.admx OSPolicy~AT~System~PolicyPolicies AllowClipboardHistory LowestValueMostSecure AllowCopyPaste 1 text/plain desktop LowestValueMostSecure AllowCortana 1 text/plain Search.admx Search~AT~WindowsComponents~Search AllowCortana LowestValueMostSecure AllowDeviceDiscovery 1 text/plain LowestValueMostSecure AllowFindMyDevice 1 text/plain FindMy.admx FindMy~AT~WindowsComponents~FindMyDeviceCat FindMy_AllowFindMyDeviceConfig LowestValueMostSecure AllowManualMDMUnenrollment 1 text/plain LowestValueMostSecure AllowSaveAsOfOfficeFiles 1 text/plain LowestValueMostSecure AllowScreenCapture 1 text/plain LowestValueMostSecure AllowSharingOfOfficeFiles 1 text/plain LowestValueMostSecure AllowSIMErrorDialogPromptWhenNoSIM 1 text/plain HighestValueMostSecure AllowSyncMySettings 1 text/plain LowestValueMostSecure AllowTaskSwitcher 1 text/plain desktop LowestValueMostSecure AllowVoiceRecording 1 text/plain desktop LowestValueMostSecure AllowWindowsConsumerFeatures 1 text/plain phone CloudContent.admx CloudContent~AT~WindowsComponents~CloudContent DisableWindowsConsumerFeatures LowestValueMostSecure AllowWindowsTips 1 text/plain phone CloudContent.admx CloudContent~AT~WindowsComponents~CloudContent DisableSoftLanding LowestValueMostSecure DoNotShowFeedbackNotifications 0 text/plain FeedbackNotifications.admx FeedbackNotifications~AT~WindowsComponents~DataCollectionAndPreviewBuilds DoNotShowFeedbackNotifications HighestValueMostSecure DoNotSyncBrowserSettings 0 You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. Related policy: PreventUsersFromTurningOnBrowserSyncing 0 (default) = allow syncing, 2 = disable syncing text/plain SettingSync.admx SettingSync~AT~WindowsComponents~SettingSync DisableWebBrowserSettingSync HighestValueMostSecure PreventUsersFromTurningOnBrowserSyncing 1 You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. Related policy: DoNotSyncBrowserSettings 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing text/plain SettingSync.admx CheckBox_UserOverride SettingSync~AT~WindowsComponents~SettingSync DisableWebBrowserSettingSync HighestValueMostSecure ShowLockOnUserTile 1 Shows or hides lock from the user tile menu. If you enable this policy setting, the lock option will be shown in the User Tile menu. If you disable this policy setting, the lock option will never be shown in the User Tile menu. If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. text/plain WindowsExplorer.admx WindowsExplorer~AT~WindowsExplorer ShowLockOption HighestValueMostSecure ExploitGuard ExploitProtectionSettings text/plain ExploitGuard.admx ExploitProtection_Name ExploitGuard~AT~WindowsComponents~WindowsDefenderExploitGuard~ExploitProtection ExploitProtection_Name LastWrite FileExplorer TurnOffDataExecutionPreventionForExplorer text/plain phone Explorer.admx Explorer~AT~WindowsExplorer NoDataExecutionPrevention LastWrite TurnOffHeapTerminationOnCorruption text/plain phone Explorer.admx Explorer~AT~WindowsExplorer NoHeapTerminationOnCorruption LastWrite Games AllowAdvancedGamingServices 1 Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. text/plain LowestValueMostSecure Handwriting PanelDefaultModeDocked 0 Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen text/plain phone Handwriting.admx Handwriting~AT~WindowsComponents~Handwriting PanelDefaultModeDocked LowestValueMostSecure InternetExplorer AddSearchProvider text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer AddSearchProvider LastWrite AllowActiveXFiltering text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer TurnOnActiveXFiltering LastWrite AllowAddOnList text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement AddonManagement_AddOnList LastWrite AllowCertificateAddressMismatchWarning text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyWarnCertMismatch LastWrite AllowDeletingBrowsingHistoryOnExit text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory DBHDisableDeleteOnExit LastWrite AllowEnhancedProtectedMode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_EnableEnhancedProtectedMode LastWrite AllowEnhancedSuggestionsInAddressBar text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer AllowServicePoweredQSA LastWrite AllowEnterpriseModeFromToolsMenu text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer EnterpriseModeEnable LastWrite AllowEnterpriseModeSiteList text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer EnterpriseModeSiteList LastWrite AllowFallbackToSSL3 text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures Advanced_EnableSSL3Fallback LastWrite AllowInternetExplorer7PolicyList text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView CompatView_UsePolicyList LastWrite AllowInternetExplorerStandardsMode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView CompatView_IntranetSites LastWrite AllowInternetZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyInternetZoneTemplate LastWrite AllowIntranetZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyIntranetZoneTemplate LastWrite AllowLocalMachineZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyLocalMachineZoneTemplate LastWrite AllowLockedDownInternetZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyInternetZoneLockdownTemplate LastWrite AllowLockedDownIntranetZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyIntranetZoneLockdownTemplate LastWrite AllowLockedDownLocalMachineZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyLocalMachineZoneLockdownTemplate LastWrite AllowLockedDownRestrictedSitesZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyRestrictedSitesZoneLockdownTemplate LastWrite AllowOneWordEntry text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing UseIntranetSiteForOneWordEntry LastWrite AllowSiteToZoneAssignmentList text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_Zonemaps LastWrite AllowsLockedDownTrustedSitesZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyTrustedSitesZoneLockdownTemplate LastWrite AllowSoftwareWhenSignatureIsInvalid text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_InvalidSignatureBlock LastWrite AllowsRestrictedSitesZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyRestrictedSitesZoneTemplate LastWrite AllowSuggestedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer EnableSuggestedSites LastWrite AllowTrustedSitesZoneTemplate text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyTrustedSitesZoneTemplate LastWrite CheckServerCertificateRevocation text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_CertificateRevocation LastWrite CheckSignaturesOnDownloadedPrograms text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_DownloadSignatures LastWrite ConsistentMimeHandlingInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling IESF_PolicyExplorerProcesses_5 LastWrite DisableActiveXVersionListAutoDownload text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VersionListAutomaticDownloadDisable LastWrite DisableAdobeFlash text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement DisableFlashInIE LastWrite DisableBypassOfSmartScreenWarnings text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer DisableSafetyFilterOverride LastWrite DisableBypassOfSmartScreenWarningsAboutUncommonFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer DisableSafetyFilterOverrideForAppRepUnknown LastWrite DisableCompatView text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView CompatView_DisableList LastWrite DisableConfiguringHistory text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory RestrictHistory LastWrite DisableCrashDetection text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer AddonManagement_RestrictCrashDetection LastWrite DisableCustomerExperienceImprovementProgramParticipation text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer SQM_DisableCEIP LastWrite DisableDeletingUserVisitedWebsites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory DBHDisableDeleteHistory LastWrite DisableEnclosureDownloading text/plain phone inetres.admx inetres~AT~WindowsComponents~RSS_Feeds Disable_Downloading_of_Enclosures LastWrite DisableEncryptionSupport text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_SetWinInetProtocols LastWrite DisableFeedsBackgroundSync text/plain phone inetres.admx inetres~AT~WindowsComponents~RSS_Feeds Disable_Background_Syncing LastWrite DisableFirstRunWizard text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer NoFirstRunCustomise LastWrite DisableFlipAheadFeature text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_DisableFlipAhead LastWrite DisableGeolocation text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer GeolocationDisable LastWrite DisableIgnoringCertificateErrors text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL NoCertError LastWrite DisableInPrivateBrowsing text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy DisableInPrivateBrowsing LastWrite DisableProcessesInEnhancedProtectedMode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_EnableEnhancedProtectedMode64Bit LastWrite DisableProxyChange text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer RestrictProxy LastWrite DisableSearchProviderChange text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer NoSearchProvider LastWrite DisableSecondaryHomePageChange text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer SecondaryHomePages LastWrite DisableSecuritySettingsCheck text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer Disable_Security_Settings_Check LastWrite DisableUpdateCheck text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer NoUpdateCheck LastWrite DisableWebAddressAutoComplete text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer RestrictWebAddressSuggest LastWrite DoNotAllowActiveXControlsInProtectedMode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_DisableEPMCompat LastWrite DoNotAllowUsersToAddSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer Security_zones_map_edit LastWrite DoNotAllowUsersToChangePolicies text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer Security_options_edit LastWrite DoNotBlockOutdatedActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDisable LastWrite DoNotBlockOutdatedActiveXControlsOnSpecificDomains text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDomainAllowlist LastWrite IncludeAllLocalSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_IncludeUnspecifiedLocalSites LastWrite IncludeAllNetworkPaths text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_UNCAsIntranet LastWrite InternetZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAccessDataSourcesAcrossDomains_1 LastWrite InternetZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyNotificationBarActiveXURLaction_1 LastWrite InternetZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyNotificationBarDownloadURLaction_1 LastWrite InternetZoneAllowCopyPasteViaScript text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAllowPasteViaScript_1 LastWrite InternetZoneAllowDragAndDropCopyAndPasteFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDropOrPasteFiles_1 LastWrite InternetZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyFontDownload_1 LastWrite InternetZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyZoneElevationURLaction_1 LastWrite InternetZoneAllowLoadingOfXAMLFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_XAML_1 LastWrite InternetZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyUnsignedFrameworkComponentsURLaction_1 LastWrite InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet LastWrite InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAllowTDCControl_Both_Internet LastWrite InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_WebBrowserControl_1 LastWrite InternetZoneAllowScriptInitiatedWindows text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyWindowsRestrictionsURLaction_1 LastWrite InternetZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_AllowScriptlets_1 LastWrite InternetZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_Phishing_1 LastWrite InternetZoneAllowUpdatesToStatusBarViaScript text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_ScriptStatusBar_1 LastWrite InternetZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyUserdataPersistence_1 LastWrite InternetZoneAllowVBScriptToRunInInternetExplorer text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAllowVBScript_1 LastWrite InternetZoneDoNotRunAntimalwareAgainstActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 LastWrite InternetZoneDownloadSignedActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDownloadSignedActiveX_1 LastWrite InternetZoneDownloadUnsignedActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDownloadUnsignedActiveX_1 LastWrite InternetZoneEnableCrossSiteScriptingFilter text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyTurnOnXSSFilter_Both_Internet LastWrite InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet LastWrite InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet LastWrite InternetZoneEnableMIMESniffing text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyMimeSniffingURLaction_1 LastWrite InternetZoneEnableProtectedMode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_TurnOnProtectedMode_1 LastWrite InternetZoneIncludeLocalPathWhenUploadingFilesToServer text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_LocalPathForUpload_1 LastWrite InternetZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyScriptActiveXNotMarkedSafe_1 LastWrite InternetZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyJavaPermissions_1 LastWrite InternetZoneLaunchingApplicationsAndFilesInIFRAME text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyLaunchAppsAndFilesInIFRAME_1 LastWrite InternetZoneLogonOptions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyLogon_1 LastWrite InternetZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyNavigateSubframesAcrossDomains_1 LastWrite InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicySignedFrameworkComponentsURLaction_1 LastWrite InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_UnsafeFiles_1 LastWrite InternetZoneUsePopupBlocker text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyBlockPopupWindows_1 LastWrite IntranetZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyAccessDataSourcesAcrossDomains_3 LastWrite IntranetZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyNotificationBarActiveXURLaction_3 LastWrite IntranetZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyNotificationBarDownloadURLaction_3 LastWrite IntranetZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyFontDownload_3 LastWrite IntranetZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyZoneElevationURLaction_3 LastWrite IntranetZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyUnsignedFrameworkComponentsURLaction_3 LastWrite IntranetZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_Policy_AllowScriptlets_3 LastWrite IntranetZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_Policy_Phishing_3 LastWrite IntranetZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyUserdataPersistence_3 LastWrite IntranetZoneDoNotRunAntimalwareAgainstActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 LastWrite IntranetZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyScriptActiveXNotMarkedSafe_3 LastWrite IntranetZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyJavaPermissions_3 LastWrite IntranetZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyNavigateSubframesAcrossDomains_3 LastWrite LocalMachineZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyAccessDataSourcesAcrossDomains_9 LastWrite LocalMachineZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyNotificationBarActiveXURLaction_9 LastWrite LocalMachineZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyNotificationBarDownloadURLaction_9 LastWrite LocalMachineZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyFontDownload_9 LastWrite LocalMachineZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyZoneElevationURLaction_9 LastWrite LocalMachineZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyUnsignedFrameworkComponentsURLaction_9 LastWrite LocalMachineZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_Policy_AllowScriptlets_9 LastWrite LocalMachineZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_Policy_Phishing_9 LastWrite LocalMachineZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyUserdataPersistence_9 LastWrite LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 LastWrite LocalMachineZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyScriptActiveXNotMarkedSafe_9 LastWrite LocalMachineZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyJavaPermissions_9 LastWrite LocalMachineZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyNavigateSubframesAcrossDomains_9 LastWrite LockedDownInternetZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_2 LastWrite LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_2 LastWrite LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_2 LastWrite LockedDownInternetZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyFontDownload_2 LastWrite LockedDownInternetZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyZoneElevationURLaction_2 LastWrite LockedDownInternetZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_2 LastWrite LockedDownInternetZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_Policy_AllowScriptlets_2 LastWrite LockedDownInternetZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_Policy_Phishing_2 LastWrite LockedDownInternetZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyUserdataPersistence_2 LastWrite LockedDownInternetZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_2 LastWrite LockedDownInternetZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyJavaPermissions_2 LastWrite LockedDownInternetZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_2 LastWrite LockedDownIntranetJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyJavaPermissions_4 LastWrite LockedDownIntranetZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_4 LastWrite LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_4 LastWrite LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_4 LastWrite LockedDownIntranetZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyFontDownload_4 LastWrite LockedDownIntranetZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyZoneElevationURLaction_4 LastWrite LockedDownIntranetZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_4 LastWrite LockedDownIntranetZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_Policy_AllowScriptlets_4 LastWrite LockedDownIntranetZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_Policy_Phishing_4 LastWrite LockedDownIntranetZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyUserdataPersistence_4 LastWrite LockedDownIntranetZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_4 LastWrite LockedDownIntranetZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_4 LastWrite LockedDownLocalMachineZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_10 LastWrite LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_10 LastWrite LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_10 LastWrite LockedDownLocalMachineZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyFontDownload_10 LastWrite LockedDownLocalMachineZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyZoneElevationURLaction_10 LastWrite LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_10 LastWrite LockedDownLocalMachineZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_Policy_AllowScriptlets_10 LastWrite LockedDownLocalMachineZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_Policy_Phishing_10 LastWrite LockedDownLocalMachineZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyUserdataPersistence_10 LastWrite LockedDownLocalMachineZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_10 LastWrite LockedDownLocalMachineZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyJavaPermissions_10 LastWrite LockedDownLocalMachineZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_10 LastWrite LockedDownRestrictedSitesZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_8 LastWrite LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_8 LastWrite LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_8 LastWrite LockedDownRestrictedSitesZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyFontDownload_8 LastWrite LockedDownRestrictedSitesZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyZoneElevationURLaction_8 LastWrite LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_8 LastWrite LockedDownRestrictedSitesZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_Policy_AllowScriptlets_8 LastWrite LockedDownRestrictedSitesZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_Policy_Phishing_8 LastWrite LockedDownRestrictedSitesZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyUserdataPersistence_8 LastWrite LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_8 LastWrite LockedDownRestrictedSitesZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyJavaPermissions_8 LastWrite LockedDownRestrictedSitesZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_8 LastWrite LockedDownTrustedSitesZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_6 LastWrite LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_6 LastWrite LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_6 LastWrite LockedDownTrustedSitesZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyFontDownload_6 LastWrite LockedDownTrustedSitesZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyZoneElevationURLaction_6 LastWrite LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_6 LastWrite LockedDownTrustedSitesZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_Policy_AllowScriptlets_6 LastWrite LockedDownTrustedSitesZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_Policy_Phishing_6 LastWrite LockedDownTrustedSitesZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyUserdataPersistence_6 LastWrite LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_6 LastWrite LockedDownTrustedSitesZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyJavaPermissions_6 LastWrite LockedDownTrustedSitesZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_6 LastWrite MimeSniffingSafetyFeatureInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature IESF_PolicyExplorerProcesses_6 LastWrite MKProtocolSecurityRestrictionInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction IESF_PolicyExplorerProcesses_3 LastWrite NewTabDefaultPage text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer NewTabAction LastWrite NotificationBarInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar IESF_PolicyExplorerProcesses_10 LastWrite PreventManagingSmartScreenFilter text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer Disable_Managing_Safety_Filter_IE9 LastWrite PreventPerUserInstallationOfActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer DisablePerUserActiveXInstall LastWrite ProtectionFromZoneElevationInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation IESF_PolicyExplorerProcesses_9 LastWrite RemoveRunThisTimeButtonForOutdatedActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDisableRunThisTime LastWrite RestrictActiveXInstallInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall IESF_PolicyExplorerProcesses_11 LastWrite RestrictedSitesZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAccessDataSourcesAcrossDomains_7 LastWrite RestrictedSitesZoneAllowActiveScripting text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyActiveScripting_7 LastWrite RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyNotificationBarActiveXURLaction_7 LastWrite RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyNotificationBarDownloadURLaction_7 LastWrite RestrictedSitesZoneAllowBinaryAndScriptBehaviors text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyBinaryBehaviors_7 LastWrite RestrictedSitesZoneAllowCopyPasteViaScript text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAllowPasteViaScript_7 LastWrite RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDropOrPasteFiles_7 LastWrite RestrictedSitesZoneAllowFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyFileDownload_7 LastWrite RestrictedSitesZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyFontDownload_7 LastWrite RestrictedSitesZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyZoneElevationURLaction_7 LastWrite RestrictedSitesZoneAllowLoadingOfXAMLFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_XAML_7 LastWrite RestrictedSitesZoneAllowMETAREFRESH text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAllowMETAREFRESH_7 LastWrite RestrictedSitesZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyUnsignedFrameworkComponentsURLaction_7 LastWrite RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted LastWrite RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAllowTDCControl_Both_Restricted LastWrite RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_WebBrowserControl_7 LastWrite RestrictedSitesZoneAllowScriptInitiatedWindows text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyWindowsRestrictionsURLaction_7 LastWrite RestrictedSitesZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_AllowScriptlets_7 LastWrite RestrictedSitesZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_Phishing_7 LastWrite RestrictedSitesZoneAllowUpdatesToStatusBarViaScript text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_ScriptStatusBar_7 LastWrite RestrictedSitesZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyUserdataPersistence_7 LastWrite RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAllowVBScript_7 LastWrite RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 LastWrite RestrictedSitesZoneDownloadSignedActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDownloadSignedActiveX_7 LastWrite RestrictedSitesZoneDownloadUnsignedActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDownloadUnsignedActiveX_7 LastWrite RestrictedSitesZoneEnableCrossSiteScriptingFilter text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyTurnOnXSSFilter_Both_Restricted LastWrite RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted LastWrite RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted LastWrite RestrictedSitesZoneEnableMIMESniffing text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyMimeSniffingURLaction_7 LastWrite RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_LocalPathForUpload_7 LastWrite RestrictedSitesZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyScriptActiveXNotMarkedSafe_7 LastWrite RestrictedSitesZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyJavaPermissions_7 LastWrite RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyLaunchAppsAndFilesInIFRAME_7 LastWrite RestrictedSitesZoneLogonOptions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyLogon_7 LastWrite RestrictedSitesZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyNavigateSubframesAcrossDomains_7 LastWrite RestrictedSitesZoneRunActiveXControlsAndPlugins text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyRunActiveXControls_7 LastWrite RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicySignedFrameworkComponentsURLaction_7 LastWrite RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyScriptActiveXMarkedSafe_7 LastWrite RestrictedSitesZoneScriptingOfJavaApplets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyScriptingOfJavaApplets_7 LastWrite RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_UnsafeFiles_7 LastWrite RestrictedSitesZoneTurnOnProtectedMode text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_TurnOnProtectedMode_7 LastWrite RestrictedSitesZoneUsePopupBlocker text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyBlockPopupWindows_7 LastWrite RestrictFileDownloadInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload IESF_PolicyExplorerProcesses_12 LastWrite ScriptedWindowSecurityRestrictionsInternetExplorerProcesses text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions IESF_PolicyExplorerProcesses_8 LastWrite SearchProviderList text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer SpecificSearchProvider LastWrite SecurityZonesUseOnlyMachineSettings text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer Security_HKLM_only LastWrite SpecifyUseOfActiveXInstallerService text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer OnlyUseAXISForActiveXInstall LastWrite TrustedSitesZoneAllowAccessToDataSources text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyAccessDataSourcesAcrossDomains_5 LastWrite TrustedSitesZoneAllowAutomaticPromptingForActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyNotificationBarActiveXURLaction_5 LastWrite TrustedSitesZoneAllowAutomaticPromptingForFileDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyNotificationBarDownloadURLaction_5 LastWrite TrustedSitesZoneAllowFontDownloads text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyFontDownload_5 LastWrite TrustedSitesZoneAllowLessPrivilegedSites text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyZoneElevationURLaction_5 LastWrite TrustedSitesZoneAllowNETFrameworkReliantComponents text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyUnsignedFrameworkComponentsURLaction_5 LastWrite TrustedSitesZoneAllowScriptlets text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_Policy_AllowScriptlets_5 LastWrite TrustedSitesZoneAllowSmartScreenIE text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_Policy_Phishing_5 LastWrite TrustedSitesZoneAllowUserDataPersistence text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyUserdataPersistence_5 LastWrite TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 LastWrite TrustedSitesZoneInitializeAndScriptActiveXControls text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyScriptActiveXNotMarkedSafe_5 LastWrite TrustedSitesZoneJavaPermissions text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyJavaPermissions_5 LastWrite TrustedSitesZoneNavigateWindowsAndFrames text/plain phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyNavigateSubframesAcrossDomains_5 LastWrite Kerberos AllowForestSearchOrder text/plain phone Kerberos.admx Kerberos~AT~System~kerberos ForestSearch LastWrite KerberosClientSupportsClaimsCompoundArmor text/plain phone Kerberos.admx Kerberos~AT~System~kerberos EnableCbacAndArmor LastWrite RequireKerberosArmoring text/plain phone Kerberos.admx Kerberos~AT~System~kerberos ClientRequireFast LastWrite RequireStrictKDCValidation text/plain phone Kerberos.admx Kerberos~AT~System~kerberos ValidateKDC LastWrite SetMaximumContextTokenSize text/plain phone Kerberos.admx Kerberos~AT~System~kerberos MaxTokenSize LastWrite UPNNameHints Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. text/plain phone LastWrite 0xF000 KioskBrowser BlockedUrlExceptions List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. text/plain phone LastWrite BlockedUrls List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. text/plain phone LastWrite DefaultURL Configures the default URL kiosk browsers to navigate on launch and restart. text/plain phone LastWrite EnableEndSessionButton 0 Enable/disable kiosk browser's end session button. text/plain phone LastWrite EnableHomeButton 0 Enable/disable kiosk browser's home button. text/plain phone LastWrite EnableNavigationButtons 0 Enable/disable kiosk browser's navigation buttons (forward/back). text/plain phone LastWrite RestartOnIdleTime 0 Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. text/plain phone LastWrite LanmanWorkstation EnableInsecureGuestLogons 0 text/plain LanmanWorkstation.admx LanmanWorkstation~AT~Network~Cat_LanmanWorkstation Pol_EnableInsecureGuestLogons LowestValueMostSecure Licensing AllowWindowsEntitlementReactivation 1 text/plain phone AVSValidationGP.admx AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform AllowWindowsEntitlementReactivation LowestValueMostSecure DisallowKMSClientOnlineAVSValidation 0 text/plain phone AVSValidationGP.admx AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform NoAcquireGT LowestValueMostSecure LocalPoliciesSecurityOptions Accounts_BlockMicrosoftAccounts 0 This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Accounts: Block Microsoft accounts LastWrite Accounts_EnableAdministratorAccountStatus 0 This security setting determines whether the local Administrator account is enabled or disabled. Notes If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. Default: Disabled. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Accounts: Administrator account status LastWrite Accounts_EnableGuestAccountStatus 0 This security setting determines if the Guest account is enabled or disabled. Default: Disabled. Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Accounts: Guest account status LastWrite Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly 1 Accounts: Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Enabled. Warning: Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. Notes This setting does not affect logons that use domain accounts. It is possible for applications that use remote interactive logons to bypass this setting. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Accounts: Limit local account use of blank passwords to console logon only LastWrite Accounts_RenameAdministratorAccount Administrator Accounts: Rename administrator account This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Default: Administrator. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Accounts: Rename administrator account LastWrite Accounts_RenameGuestAccount Guest Accounts: Rename guest account This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Accounts: Rename guest account LastWrite Devices_AllowedToFormatAndEjectRemovableMedia 0 Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Interactive Users Default: This policy is not defined and only Administrators have this ability. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Devices: Allowed to format and eject removable media LastWrite Devices_AllowUndockWithoutHavingToLogon 1 Devices: Allow undock without having to log on This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default: Enabled. Caution Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Devices: Allow undock without having to log on LastWrite Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters 0 Devices: Prevent users from installing printer drivers when connecting to shared printers For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. Default on servers: Enabled. Default on workstations: Disabled Notes This setting does not affect the ability to add a local printer. This setting does not affect Administrators. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Devices: Prevent users from installing printer drivers LastWrite Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly 0 Devices: Restrict CD-ROM access to locally logged-on user only This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Devices: Restrict CD-ROM access to locally logged-on user only LastWrite InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked 1 Interactive Logon:Display user information when the session is locked User display name, domain and user names (1) User display name only (2) Do not display user information (3) Domain and user names only (4) text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Interactive logon: Display user information when the session is locked LastWrite InteractiveLogon_DoNotDisplayLastSignedIn 0 Interactive logon: Don't display last signed-in This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. If this policy is enabled, the username will not be shown. If this policy is disabled, the username will be shown. Default: Disabled. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Interactive logon: Don't display last signed-in LastWrite InteractiveLogon_DoNotDisplayUsernameAtSignIn 1 Interactive logon: Don't display username at sign-in This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. If this policy is enabled, the username will not be shown. If this policy is disabled, the username will be shown. Default: Disabled. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Interactive logon: Don't display username at sign-in LastWrite InteractiveLogon_DoNotRequireCTRLALTDEL 1 Interactive logon: Do not require CTRL+ALT+DEL This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. Default on stand-alone computers: Enabled. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Interactive logon: Do not require CTRL+ALT+DEL LastWrite InteractiveLogon_MachineInactivityLimit 0 Interactive logon: Machine inactivity limit. Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Default: not enforced. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Interactive logon: Machine inactivity limit LastWrite InteractiveLogon_MessageTextForUsersAttemptingToLogOn Interactive logon: Message text for users attempting to log on This security setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Default: No message. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Interactive logon: Message text for users attempting to log on LastWrite 0xF000 InteractiveLogon_MessageTitleForUsersAttemptingToLogOn Interactive logon: Message title for users attempting to log on This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. Default: No message. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Interactive logon: Message title for users attempting to log on LastWrite InteractiveLogon_SmartCardRemovalBehavior 0 Interactive logon: Smart card removal behavior This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default: This policy is not defined, which means that the system treats it as No action. On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Interactive logon: Smart card removal behavior LastWrite MicrosoftNetworkClient_DigitallySignCommunicationsAlways 0 Microsoft network client: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled. Important For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Microsoft network client: Digitally sign communications (always) LastWrite MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees 1 Microsoft network client: Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Microsoft network client: Digitally sign communications (if server agrees) LastWrite MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers 0 Microsoft network client: Send unencrypted password to connect to third-party SMB servers If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. Default: Disabled. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Microsoft network client: Send unencrypted password to third-party SMB servers LastWrite MicrosoftNetworkServer_DigitallySignCommunicationsAlways 0 Microsoft network server: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled for member servers. Enabled for domain controllers. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. Important For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: Microsoft network server: Digitally sign communications (if server agrees) For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Microsoft network server: Digitally sign communications (always) LastWrite MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees 0 Microsoft network server: Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled on domain controllers only. Important For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Microsoft network server: Digitally sign communications (if client agrees) LastWrite NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts 1 Network access: Do not allow anonymous enumeration of SAM accounts This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Enabled. Important This policy has no impact on domain controllers. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network access: Do not allow anonymous enumeration of SAM accounts LastWrite NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares 0 Network access: Do not allow anonymous enumeration of SAM accounts and shares This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. Default: Disabled. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network access: Do not allow anonymous enumeration of SAM accounts and shares LastWrite NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares 1 Network access: Restrict anonymous access to Named Pipes and Shares When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously Default: Enabled. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network access: Restrict anonymous access to Named Pipes and Shares LastWrite NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM Network access: Restrict clients allowed to make remote calls to SAM This policy setting allows you to restrict remote rpc connections to SAM. If not selected, the default security descriptor will be used. This policy is supported on at least Windows Server 2016. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network access: Restrict clients allowed to make remote calls to SAM LastWrite NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM 1 Network security: Allow Local System to use computer identity for NTLM This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008. Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network security: Allow Local System to use computer identity for NTLM LastWrite NetworkSecurity_AllowPKU2UAuthenticationRequests 1 Network security: Allow PKU2U authentication requests to this computer to use online identities. This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network security: Allow PKU2U authentication requests to this computer to use online identities. LastWrite NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange 1 Network security: Do not store LAN Manager hash value on next password change This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. Default on Windows Vista and above: Enabled Default on Windows XP: Disabled. Important Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network security: Do not store LAN Manager hash value on next password change LastWrite NetworkSecurity_LANManagerAuthenticationLevel 3 Network security LAN Manager authentication level This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). Important This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. Default: Windows 2000 and windows XP: send LM and NTLM responses Windows Server 2003: Send NTLM response only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network security: LAN Manager authentication level HighestValueMostSecure NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients 536870912 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. Default: Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network security: Minimum session security for NTLM SSP based (including secure RPC) clients HighestValueMostSecure NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers 536870912 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. Default: Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network security: Minimum session security for NTLM SSP based (including secure RPC) servers HighestValueMostSecure NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. If you do not configure this policy setting, no exceptions will be applied. The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication LastWrite NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic 0 Network security: Restrict NTLM: Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic. If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network security: Restrict NTLM: Audit Incoming NTLM Traffic HighestValueMostSecure NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic 0 Network security: Restrict NTLM: Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic. If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network security: Restrict NTLM: Incoming NTLM traffic HighestValueMostSecure NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers 0 Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers HighestValueMostSecure Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn 1 Shutdown: Allow system to be shut down without having to log on This security setting determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. Default on workstations: Enabled. Default on servers: Disabled. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Shutdown: Allow system to be shut down without having to log on LastWrite Shutdown_ClearVirtualMemoryPageFile 0 Shutdown: Clear virtual memory pagefile This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. Default: Disabled. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options Shutdown: Clear virtual memory pagefile LastWrite UserAccountControl_AllowUIAccessApplicationsToPromptForElevation 0 User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. • Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. • Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop LastWrite UserAccountControl_BehaviorOfTheElevationPromptForAdministrators 5 User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are: • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. • Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode LastWrite UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers 3 User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. The options are: • Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options User Account Control: Behavior of the elevation prompt for standard users LastWrite UserAccountControl_DetectApplicationInstallationsAndPromptForElevation 1 User Account Control: Detect application installations and prompt for elevation This policy setting controls the behavior of application installation detection for the computer. The options are: Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options User Account Control: Detect application installations and prompt for elevation LastWrite UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated 0 User Account Control: Only elevate executable files that are signed and validated This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. The options are: • Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. • Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options User Account Control: Only elevate executables that are signed and validated LastWrite UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations 1 User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\Program Files\, including subfolders - …\Windows\system32\ - …\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: • Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. • Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options User Account Control: Only elevate UIAccess applications that are installed in secure locations LastWrite UserAccountControl_RunAllAdministratorsInAdminApprovalMode 1 User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: • Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options User Account Control: Run all administrators in Admin Approval Mode LastWrite UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation 1 User Account Control: Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: • Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. • Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options User Account Control: Switch to the secure desktop when prompting for elevation LastWrite UserAccountControl_UseAdminApprovalMode 0 User Account Control: Use Admin Approval Mode for the built-in Administrator account This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: • Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. • Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options User Account Control: Admin Approval Mode for the Built-in Administrator account LastWrite UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations 1 User Account Control: Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. The options are: • Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. • Disabled: Applications that write data to protected locations fail. text/plain phone Windows Settings~Security Settings~Local Policies~Security Options User Account Control: Virtualize file and registry write failures to per-user locations LastWrite LockDown AllowEdgeSwipe 1 text/plain phone EdgeUI.admx EdgeUI~AT~WindowsComponents~EdgeUI AllowEdgeSwipe LowestValueMostSecure Maps AllowOfflineMapsDownloadOverMeteredConnection 65535 text/plain LastWrite EnableOfflineMapsAutoUpdate 65535 text/plain WinMaps.admx WinMaps~AT~WindowsComponents~Maps TurnOffAutoUpdate LastWrite Messaging AllowMessageSync 1 This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. text/plain messaging.admx messaging~AT~WindowsComponents~Messaging_Category AllowMessageSync LowestValueMostSecure AllowMMS 1 This policy setting allows you to enable or disable the sending and receiving cellular MMS messages. text/plain desktop LowestValueMostSecure AllowRCS 1 This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages. text/plain desktop LowestValueMostSecure MSSecurityGuide ApplyUACRestrictionsToLocalAccountsOnNetworkLogon text/plain phone SecGuide.admx SecGuide~AT~Cat_SecGuide Pol_SecGuide_0201_LATFP LastWrite ConfigureSMBV1ClientDriver text/plain phone SecGuide.admx SecGuide~AT~Cat_SecGuide Pol_SecGuide_0002_SMBv1_ClientDriver LastWrite ConfigureSMBV1Server text/plain phone SecGuide.admx SecGuide~AT~Cat_SecGuide Pol_SecGuide_0001_SMBv1_Server LastWrite EnableStructuredExceptionHandlingOverwriteProtection text/plain phone SecGuide.admx SecGuide~AT~Cat_SecGuide Pol_SecGuide_0102_SEHOP LastWrite TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications text/plain phone SecGuide.admx SecGuide~AT~Cat_SecGuide Pol_SecGuide_0101_WDPUA LastWrite WDigestAuthentication text/plain phone SecGuide.admx SecGuide~AT~Cat_SecGuide Pol_SecGuide_0202_WDigestAuthn LastWrite MSSLegacy AllowICMPRedirectsToOverrideOSPFGeneratedRoutes text/plain phone mss-legacy.admx Mss-legacy~AT~Cat_MSS Pol_MSS_EnableICMPRedirect LastWrite AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers text/plain phone mss-legacy.admx Mss-legacy~AT~Cat_MSS Pol_MSS_NoNameReleaseOnDemand LastWrite IPSourceRoutingProtectionLevel text/plain phone mss-legacy.admx Mss-legacy~AT~Cat_MSS Pol_MSS_DisableIPSourceRouting LastWrite IPv6SourceRoutingProtectionLevel text/plain phone mss-legacy.admx Mss-legacy~AT~Cat_MSS Pol_MSS_DisableIPSourceRoutingIPv6 LastWrite NetworkIsolation EnterpriseCloudResources text/plain NetworkIsolation.admx WF_NetIsolation_EnterpriseCloudResourcesBox NetworkIsolation~AT~Network~WF_Isolation WF_NetIsolation_EnterpriseCloudResources LastWrite EnterpriseInternalProxyServers text/plain NetworkIsolation.admx WF_NetIsolation_Intranet_ProxiesBox NetworkIsolation~AT~Network~WF_Isolation WF_NetIsolation_Intranet_Proxies LastWrite EnterpriseIPRange text/plain NetworkIsolation.admx WF_NetIsolation_PrivateSubnetBox NetworkIsolation~AT~Network~WF_Isolation WF_NetIsolation_PrivateSubnet LastWrite EnterpriseIPRangesAreAuthoritative 0 text/plain NetworkIsolation.admx NetworkIsolation~AT~Network~WF_Isolation WF_NetIsolation_Authoritative_Subnet LastWrite EnterpriseNetworkDomainNames text/plain LastWrite EnterpriseProxyServers text/plain NetworkIsolation.admx WF_NetIsolation_Domain_ProxiesBox NetworkIsolation~AT~Network~WF_Isolation WF_NetIsolation_Domain_Proxies LastWrite EnterpriseProxyServersAreAuthoritative 0 text/plain NetworkIsolation.admx NetworkIsolation~AT~Network~WF_Isolation WF_NetIsolation_Authoritative_Proxies LastWrite NeutralResources text/plain NetworkIsolation.admx WF_NetIsolation_NeutralResourcesBox NetworkIsolation~AT~Network~WF_Isolation WF_NetIsolation_NeutralResources LastWrite Notifications DisallowCloudNotification 0 text/plain WPN.admx WPN~AT~StartMenu~NotificationsCategory NoCloudNotification LowestValueMostSecure Power AllowStandbyStatesWhenSleepingOnBattery text/plain phone power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat AllowStandbyStatesDC_2 LastWrite AllowStandbyWhenSleepingPluggedIn text/plain phone power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat AllowStandbyStatesAC_2 LastWrite DisplayOffTimeoutOnBattery text/plain phone power.admx Power~AT~System~PowerManagementCat~PowerVideoSettingsCat VideoPowerDownTimeOutDC_2 LastWrite DisplayOffTimeoutPluggedIn text/plain phone power.admx Power~AT~System~PowerManagementCat~PowerVideoSettingsCat VideoPowerDownTimeOutAC_2 LastWrite EnergySaverBatteryThresholdOnBattery 0 This policy setting allows you to specify battery charge level at which Energy Saver is turned on. If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. If you disable or do not configure this policy setting, users control this setting. text/plain Power.admx EnterEsBattThreshold Power~AT~System~PowerManagementCat~EnergySaverSettingsCat EsBattThresholdDC LastWrite EnergySaverBatteryThresholdPluggedIn 0 This policy setting allows you to specify battery charge level at which Energy Saver is turned on. If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. If you disable or do not configure this policy setting, users control this setting. text/plain Power.admx EnterEsBattThreshold Power~AT~System~PowerManagementCat~EnergySaverSettingsCat EsBattThresholdAC LastWrite HibernateTimeoutOnBattery text/plain phone power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat DCHibernateTimeOut_2 LastWrite HibernateTimeoutPluggedIn text/plain phone power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat ACHibernateTimeOut_2 LastWrite RequirePasswordWhenComputerWakesOnBattery text/plain phone power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat DCPromptForPasswordOnResume_2 LastWrite RequirePasswordWhenComputerWakesPluggedIn text/plain phone power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat ACPromptForPasswordOnResume_2 LastWrite SelectLidCloseActionOnBattery 1 This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. text/plain Power.admx SelectDCSystemLidAction Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat DCSystemLidAction_2 LastWrite SelectLidCloseActionPluggedIn 1 This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. text/plain Power.admx SelectACSystemLidAction Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat ACSystemLidAction_2 LastWrite SelectPowerButtonActionOnBattery 1 This policy setting specifies the action that Windows takes when a user presses the power button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. text/plain Power.admx SelectDCPowerButtonAction Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat DCPowerButtonAction_2 LastWrite SelectPowerButtonActionPluggedIn 1 This policy setting specifies the action that Windows takes when a user presses the power button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. text/plain Power.admx SelectACPowerButtonAction Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat ACPowerButtonAction_2 LastWrite SelectSleepButtonActionOnBattery 1 This policy setting specifies the action that Windows takes when a user presses the sleep button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. text/plain Power.admx SelectDCSleepButtonAction Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat DCSleepButtonAction_2 LastWrite SelectSleepButtonActionPluggedIn 1 This policy setting specifies the action that Windows takes when a user presses the sleep button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. text/plain Power.admx SelectACSleepButtonAction Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat ACSleepButtonAction_2 LastWrite StandbyTimeoutOnBattery text/plain phone power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat DCStandbyTimeOut_2 LastWrite StandbyTimeoutPluggedIn text/plain phone power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat ACStandbyTimeOut_2 LastWrite TurnOffHybridSleepOnBattery 0 This policy setting allows you to turn off hybrid sleep. If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). If you do not configure this policy setting, users control this setting. text/plain Power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat DCStandbyWithHiberfileEnable_2 LastWrite TurnOffHybridSleepPluggedIn 0 This policy setting allows you to turn off hybrid sleep. If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). If you do not configure this policy setting, users control this setting. text/plain Power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat ACStandbyWithHiberfileEnable_2 LastWrite UnattendedSleepTimeoutOnBattery 0 This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. text/plain Power.admx EnterUnattendedSleepTimeOut Power~AT~System~PowerManagementCat~PowerSleepSettingsCat UnattendedSleepTimeOutDC LastWrite UnattendedSleepTimeoutPluggedIn 0 This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. text/plain Power.admx EnterUnattendedSleepTimeOut Power~AT~System~PowerManagementCat~PowerSleepSettingsCat UnattendedSleepTimeOutAC LastWrite Printers PointAndPrintRestrictions text/plain phone Printing.admx Printing~AT~ControlPanel~CplPrinters PointAndPrint_Restrictions_Win7 LastWrite PublishPrinters text/plain phone Printing2.admx Printing2~AT~Printers PublishPrinters LastWrite Privacy AllowAutoAcceptPairingAndPrivacyConsentPrompts 0 text/plain LowestValueMostSecure AllowCrossDeviceClipboard 1 Allows syncing of Clipboard across devices under the same Microsoft account. text/plain OSPolicy.admx OSPolicy~AT~System~PolicyPolicies AllowCrossDeviceClipboard LowestValueMostSecure AllowInputPersonalization 1 text/plain 10.0.10240 Globalization.admx Globalization~AT~ControlPanel~RegionalOptions AllowInputPersonalization LowestValueMostSecure DisableAdvertisingId 65535 text/plain UserProfiles.admx UserProfiles~AT~System~UserProfiles DisableAdvertisingId LowestValueMostSecureZeroHasNoLimits DisablePrivacyExperience 0 Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. text/plain phone OOBE.admx OOBE~AT~WindowsComponents~OOBE DisablePrivacyExperience LowestValueMostSecure EnableActivityFeed 1 Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user. text/plain OSPolicy.admx OSPolicy~AT~System~PolicyPolicies EnableActivityFeed HighestValueMostSecure LetAppsAccessAccountInfo 0 This policy setting specifies whether Windows apps can access account information. text/plain AppPrivacy.admx LetAppsAccessAccountInfo_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessAccountInfo HighestValueMostSecure LetAppsAccessAccountInfo_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsAccessAccountInfo_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessAccountInfo LastWrite ; LetAppsAccessAccountInfo_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsAccessAccountInfo_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessAccountInfo LastWrite ; LetAppsAccessAccountInfo_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsAccessAccountInfo_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessAccountInfo LastWrite ; LetAppsAccessCalendar 0 This policy setting specifies whether Windows apps can access the calendar. text/plain AppPrivacy.admx LetAppsAccessCalendar_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessCalendar HighestValueMostSecure LetAppsAccessCalendar_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsAccessCalendar_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessCalendar LastWrite ; LetAppsAccessCalendar_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsAccessCalendar_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessCalendar LastWrite ; LetAppsAccessCalendar_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsAccessCalendar_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessCalendar LastWrite ; LetAppsAccessCallHistory 0 This policy setting specifies whether Windows apps can access call history. text/plain AppPrivacy.admx LetAppsAccessCallHistory_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessCallHistory HighestValueMostSecure LetAppsAccessCallHistory_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsAccessCallHistory_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessCallHistory LastWrite ; LetAppsAccessCallHistory_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsAccessCallHistory_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessCallHistory LastWrite ; LetAppsAccessCallHistory_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsAccessCallHistory_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessCallHistory LastWrite ; LetAppsAccessCamera 0 This policy setting specifies whether Windows apps can access the camera. text/plain AppPrivacy.admx LetAppsAccessCamera_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessCamera HighestValueMostSecure LetAppsAccessCamera_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessCamera_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessCamera LastWrite ; LetAppsAccessCamera_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessCamera_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessCamera LastWrite ; LetAppsAccessCamera_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessCamera_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessCamera LastWrite ; LetAppsAccessContacts 0 This policy setting specifies whether Windows apps can access contacts. text/plain AppPrivacy.admx LetAppsAccessContacts_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessContacts HighestValueMostSecure LetAppsAccessContacts_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessContacts_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessContacts LastWrite ; LetAppsAccessContacts_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessContacts_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessContacts LastWrite ; LetAppsAccessContacts_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessContacts_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessContacts LastWrite ; LetAppsAccessEmail 0 This policy setting specifies whether Windows apps can access email. text/plain AppPrivacy.admx LetAppsAccessEmail_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessEmail HighestValueMostSecure LetAppsAccessEmail_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessEmail_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessEmail LastWrite ; LetAppsAccessEmail_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessEmail_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessEmail LastWrite ; LetAppsAccessEmail_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessEmail_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessEmail LastWrite ; LetAppsAccessGazeInput 0 This policy setting specifies whether Windows apps can access the eye tracker. text/plain HighestValueMostSecure LetAppsAccessGazeInput_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. text/plain LastWrite ; LetAppsAccessGazeInput_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. text/plain LastWrite ; LetAppsAccessGazeInput_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. text/plain LastWrite ; LetAppsAccessLocation 0 This policy setting specifies whether Windows apps can access location. text/plain AppPrivacy.admx LetAppsAccessLocation_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessLocation HighestValueMostSecure LetAppsAccessLocation_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessLocation_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessLocation LastWrite ; LetAppsAccessLocation_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessLocation_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessLocation LastWrite ; LetAppsAccessLocation_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessLocation_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessLocation LastWrite ; LetAppsAccessMessaging 0 This policy setting specifies whether Windows apps can read or send messages (text or MMS). text/plain AppPrivacy.admx LetAppsAccessMessaging_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessMessaging HighestValueMostSecure LetAppsAccessMessaging_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessMessaging_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessMessaging LastWrite ; LetAppsAccessMessaging_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessMessaging_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessMessaging LastWrite ; LetAppsAccessMessaging_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessMessaging_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessMessaging LastWrite ; LetAppsAccessMicrophone 0 This policy setting specifies whether Windows apps can access the microphone. text/plain AppPrivacy.admx LetAppsAccessMicrophone_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessMicrophone HighestValueMostSecure LetAppsAccessMicrophone_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessMicrophone_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessMicrophone LastWrite ; LetAppsAccessMicrophone_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessMicrophone_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessMicrophone LastWrite ; LetAppsAccessMicrophone_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessMicrophone_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessMicrophone LastWrite ; LetAppsAccessMotion 0 This policy setting specifies whether Windows apps can access motion data. text/plain AppPrivacy.admx LetAppsAccessMotion_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessMotion HighestValueMostSecure LetAppsAccessMotion_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessMotion_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessMotion LastWrite ; LetAppsAccessMotion_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessMotion_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessMotion LastWrite ; LetAppsAccessMotion_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessMotion_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessMotion LastWrite ; LetAppsAccessNotifications 0 This policy setting specifies whether Windows apps can access notifications. text/plain AppPrivacy.admx LetAppsAccessNotifications_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessNotifications HighestValueMostSecure LetAppsAccessNotifications_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessNotifications_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessNotifications LastWrite ; LetAppsAccessNotifications_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessNotifications_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessNotifications LastWrite ; LetAppsAccessNotifications_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessNotifications_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessNotifications LastWrite ; LetAppsAccessPhone 0 This policy setting specifies whether Windows apps can make phone calls text/plain AppPrivacy.admx LetAppsAccessPhone_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessPhone HighestValueMostSecure LetAppsAccessPhone_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessPhone_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessPhone LastWrite ; LetAppsAccessPhone_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessPhone_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessPhone LastWrite ; LetAppsAccessPhone_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessPhone_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessPhone LastWrite ; LetAppsAccessRadios 0 This policy setting specifies whether Windows apps have access to control radios. text/plain AppPrivacy.admx LetAppsAccessRadios_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessRadios HighestValueMostSecure LetAppsAccessRadios_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessRadios_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessRadios LastWrite ; LetAppsAccessRadios_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessRadios_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessRadios LastWrite ; LetAppsAccessRadios_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessRadios_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessRadios LastWrite ; LetAppsAccessTasks 0 This policy setting specifies whether Windows apps can access tasks. text/plain AppPrivacy.admx LetAppsAccessTasks_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessTasks HighestValueMostSecure LetAppsAccessTasks_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessTasks_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessTasks LastWrite ; LetAppsAccessTasks_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessTasks_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessTasks LastWrite ; LetAppsAccessTasks_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessTasks_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessTasks LastWrite ; LetAppsAccessTrustedDevices 0 This policy setting specifies whether Windows apps can access trusted devices. text/plain AppPrivacy.admx LetAppsAccessTrustedDevices_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessTrustedDevices HighestValueMostSecure LetAppsAccessTrustedDevices_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessTrustedDevices_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessTrustedDevices LastWrite ; LetAppsAccessTrustedDevices_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessTrustedDevices_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessTrustedDevices LastWrite ; LetAppsAccessTrustedDevices_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsAccessTrustedDevices LastWrite ; LetAppsActivateWithVoice 0 This policy setting specifies whether Windows apps can be activated by voice. text/plain AppPrivacy.admx LetAppsActivateWithVoice_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsActivateWithVoice HighestValueMostSecure LetAppsActivateWithVoiceAboveLock 0 This policy setting specifies whether Windows apps can be activated by voice while the system is locked. text/plain AppPrivacy.admx LetAppsActivateWithVoiceAboveLock_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsActivateWithVoiceAboveLock HighestValueMostSecure LetAppsGetDiagnosticInfo 0 This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names. text/plain AppPrivacy.admx LetAppsGetDiagnosticInfo_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsGetDiagnosticInfo HighestValueMostSecure LetAppsGetDiagnosticInfo_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsGetDiagnosticInfo LastWrite ; LetAppsGetDiagnosticInfo_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsGetDiagnosticInfo LastWrite ; LetAppsGetDiagnosticInfo_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsGetDiagnosticInfo LastWrite ; LetAppsRunInBackground 0 This policy setting specifies whether Windows apps can run in the background. text/plain AppPrivacy.admx LetAppsRunInBackground_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsRunInBackground HighestValueMostSecure LetAppsRunInBackground_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsRunInBackground_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsRunInBackground LastWrite ; LetAppsRunInBackground_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsRunInBackground_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsRunInBackground LastWrite ; LetAppsRunInBackground_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. text/plain AppPrivacy.admx LetAppsRunInBackground_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsRunInBackground LastWrite ; LetAppsSyncWithDevices 0 This policy setting specifies whether Windows apps can communicate with unpaired wireless devices. text/plain AppPrivacy.admx LetAppsSyncWithDevices_Enum AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsSyncWithDevices HighestValueMostSecure LetAppsSyncWithDevices_ForceAllowTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsSyncWithDevices_ForceAllowTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsSyncWithDevices LastWrite ; LetAppsSyncWithDevices_ForceDenyTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsSyncWithDevices_ForceDenyTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsSyncWithDevices LastWrite ; LetAppsSyncWithDevices_UserInControlOfTheseApps List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. text/plain AppPrivacy.admx LetAppsSyncWithDevices_UserInControlOfTheseApps_List AppPrivacy~AT~WindowsComponents~AppPrivacy LetAppsSyncWithDevices LastWrite ; PublishUserActivities 1 Allows apps/system to publish 'User Activities' into ActivityFeed. text/plain OSPolicy.admx OSPolicy~AT~System~PolicyPolicies PublishUserActivities HighestValueMostSecure UploadUserActivities 1 Allows ActivityFeed to upload published 'User Activities'. text/plain OSPolicy.admx OSPolicy~AT~System~PolicyPolicies UploadUserActivities HighestValueMostSecure RemoteAssistance CustomizeWarningMessages text/plain phone remoteassistance.admx RemoteAssistance~AT~System~RemoteAssist RA_Options LastWrite SessionLogging text/plain phone remoteassistance.admx RemoteAssistance~AT~System~RemoteAssist RA_Logging LastWrite SolicitedRemoteAssistance text/plain phone remoteassistance.admx RemoteAssistance~AT~System~RemoteAssist RA_Solicit LastWrite UnsolicitedRemoteAssistance text/plain phone remoteassistance.admx RemoteAssistance~AT~System~RemoteAssist RA_Unsolicit LastWrite RemoteDesktopServices AllowUsersToConnectRemotely text/plain phone terminalserver.admx TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_CONNECTIONS TS_DISABLE_CONNECTIONS LastWrite ClientConnectionEncryptionLevel text/plain phone terminalserver.admx TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY TS_ENCRYPTION_POLICY LastWrite DoNotAllowDriveRedirection text/plain phone terminalserver.admx TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_REDIRECTION TS_CLIENT_DRIVE_M LastWrite DoNotAllowPasswordSaving text/plain phone terminalserver.admx TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_CLIENT TS_CLIENT_DISABLE_PASSWORD_SAVING_2 LastWrite PromptForPasswordUponConnection text/plain phone terminalserver.admx TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY TS_PASSWORD LastWrite RequireSecureRPCCommunication text/plain phone terminalserver.admx TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY TS_RPC_ENCRYPTION LastWrite RemoteManagement AllowBasicAuthentication_Client text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient AllowBasic_2 LastWrite AllowBasicAuthentication_Service text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService AllowBasic_1 LastWrite AllowCredSSPAuthenticationClient text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRMClient AllowCredSSP_2 LastWrite AllowCredSSPAuthenticationService text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService AllowCredSSP_1 LastWrite AllowRemoteServerManagement text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService AllowAutoConfig LastWrite AllowUnencryptedTraffic_Client text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient AllowUnencrypted_2 LastWrite AllowUnencryptedTraffic_Service text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService AllowUnencrypted_1 LastWrite DisallowDigestAuthentication text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient DisallowDigest LastWrite DisallowNegotiateAuthenticationClient text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient DisallowNegotiate_2 LastWrite DisallowNegotiateAuthenticationService text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService DisallowNegotiate_1 LastWrite DisallowStoringOfRunAsCredentials text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService DisableRunAs LastWrite SpecifyChannelBindingTokenHardeningLevel text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService CBTHardeningLevel_1 LastWrite TrustedHosts text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient TrustedHosts LastWrite TurnOnCompatibilityHTTPListener text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService HttpCompatibilityListener LastWrite TurnOnCompatibilityHTTPSListener text/plain phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService HttpsCompatibilityListener LastWrite RemoteProcedureCall RestrictUnauthenticatedRPCClients text/plain phone rpc.admx RPC~AT~System~Rpc RpcRestrictRemoteClients LastWrite RPCEndpointMapperClientAuthentication text/plain phone rpc.admx RPC~AT~System~Rpc RpcEnableAuthEpResolution LastWrite RemoteShell AllowRemoteShellAccess text/plain phone WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS AllowRemoteShellAccess LastWrite MaxConcurrentUsers text/plain phone WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS MaxConcurrentUsers LastWrite SpecifyIdleTimeout text/plain phone WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS IdleTimeout LastWrite SpecifyMaxMemory text/plain phone WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS MaxMemoryPerShellMB LastWrite SpecifyMaxProcesses text/plain phone WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS MaxProcessesPerShell LastWrite SpecifyMaxRemoteShells text/plain phone WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS MaxShellsPerUser LastWrite SpecifyShellTimeout text/plain phone WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS ShellTimeOut LastWrite RestrictedGroups ConfigureGroupMembership This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. text/plain phone LastWrite Restricted Group Member Restricted Group ]]> Search AllowCloudSearch 2 text/plain Search.admx AllowCloudSearch_Dropdown Search~AT~WindowsComponents~Search AllowCloudSearch LowestValueMostSecure AllowCortanaInAAD 0 This features allows you to show the cortana opt-in page during Windows Setup text/plain phone Search.admx Search~AT~WindowsComponents~Search AllowCortanaInAAD LowestValueMostSecure AllowFindMyFiles 1 This feature allows you to disable find my files completely on the machine text/plain phone Search.admx Search~AT~WindowsComponents~Search AllowFindMyFiles LowestValueMostSecure AllowIndexingEncryptedStoresOrItems 0 text/plain Search.admx Search~AT~WindowsComponents~Search AllowIndexingEncryptedStoresOrItems LowestValueMostSecure AllowSearchToUseLocation 1 text/plain Search.admx Search~AT~WindowsComponents~Search AllowSearchToUseLocation LowestValueMostSecure AllowStoringImagesFromVisionSearch 1 text/plain LowestValueMostSecure AllowUsingDiacritics 0 text/plain Search.admx Search~AT~WindowsComponents~Search AllowUsingDiacritics HighestValueMostSecure AllowWindowsIndexer 3 text/plain LowestValueMostSecure AlwaysUseAutoLangDetection 0 text/plain Search.admx Search~AT~WindowsComponents~Search AlwaysUseAutoLangDetection HighestValueMostSecure DisableBackoff 0 text/plain Search.admx Search~AT~WindowsComponents~Search DisableBackoff HighestValueMostSecure DisableRemovableDriveIndexing 0 text/plain Search.admx Search~AT~WindowsComponents~Search DisableRemovableDriveIndexing HighestValueMostSecure DoNotUseWebResults 1 text/plain Search.admx Search~AT~WindowsComponents~Search DoNotUseWebResults LowestValueMostSecure PreventIndexingLowDiskSpaceMB 1 text/plain Search.admx Search~AT~WindowsComponents~Search StopIndexingOnLimitedHardDriveSpace HighestValueMostSecure PreventRemoteQueries 1 text/plain Search.admx Search~AT~WindowsComponents~Search PreventRemoteQueries HighestValueMostSecure SafeSearchPermissions 1 text/plain desktop HighestValueMostSecure Security AllowAddProvisioningPackage 1 text/plain LowestValueMostSecure AllowManualRootCertificateInstallation 1 text/plain desktop LowestValueMostSecure AllowRemoveProvisioningPackage 1 text/plain LowestValueMostSecure AntiTheftMode 1 text/plain desktop LowestValueMostSecure ClearTPMIfNotReady 0 text/plain phone TPM.admx TPM~AT~System~TPMCategory ClearTPMIfNotReady_Name HighestValueMostSecure ConfigureWindowsPasswords 2 Configures the use of passwords for Windows features text/plain phone LastWrite PreventAutomaticDeviceEncryptionForAzureADJoinedDevices 0 text/plain LastWrite RecoveryEnvironmentAuthentication 0 This policy controls the requirement of Admin Authentication in RecoveryEnvironment. text/plain phone LastWrite RequireDeviceEncryption 0 text/plain HighestValueMostSecure RequireProvisioningPackageSignature 0 text/plain HighestValueMostSecure RequireRetrieveHealthCertificateOnBoot 0 text/plain HighestValueMostSecure ServiceControlManager SvchostProcessMitigation text/plain phone ServiceControlManager.admx ServiceControlManager~AT~System~ServiceControlManagerCat~ServiceControlManagerSecurityCat SvchostProcessMitigationEnable LastWrite Settings AllowAutoPlay 1 text/plain phone LowestValueMostSecure AllowDataSense 1 text/plain LowestValueMostSecure AllowDateTime 1 text/plain LowestValueMostSecure AllowEditDeviceName 1 text/plain LowestValueMostSecure AllowLanguage 1 text/plain phone LowestValueMostSecure AllowOnlineTips 1 text/plain ControlPanel.admx CheckBox_AllowOnlineTips ControlPanel~AT~ControlPanel AllowOnlineTips LowestValueMostSecure AllowPowerSleep 1 text/plain phone LowestValueMostSecure AllowRegion 1 text/plain phone LowestValueMostSecure AllowSignInOptions 1 text/plain phone LowestValueMostSecure AllowVPN 1 text/plain LowestValueMostSecure AllowWorkplace 1 text/plain phone LowestValueMostSecure AllowYourAccount 1 text/plain LowestValueMostSecure PageVisibilityList text/plain ControlPanel.admx SettingsPageVisibilityBox ControlPanel~AT~ControlPanel SettingsPageVisibility LastWrite SmartScreen EnableAppInstallControl 0 text/plain phone SmartScreen.admx SmartScreen~AT~WindowsComponents~SmartScreen~Shell ConfigureAppInstallControl LastWrite EnableSmartScreenInShell 1 text/plain phone SmartScreen.admx SmartScreen~AT~WindowsComponents~SmartScreen~Shell ShellConfigureSmartScreen HighestValueMostSecure PreventOverrideForFilesInShell 0 text/plain phone SmartScreen.admx ShellConfigureSmartScreen_Dropdown SmartScreen~AT~WindowsComponents~SmartScreen~Shell ShellConfigureSmartScreen HighestValueMostSecure Speech AllowSpeechModelUpdate 1 text/plain Speech.admx Speech~AT~WindowsComponents~Speech AllowSpeechModelUpdate LowestValueMostSecure Start AllowPinnedFolderDocuments 65535 This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain phone LowestValueMostSecure AllowPinnedFolderDownloads 65535 This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain phone LowestValueMostSecure AllowPinnedFolderFileExplorer 65535 This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain phone LowestValueMostSecure AllowPinnedFolderHomeGroup 65535 This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain phone LowestValueMostSecure AllowPinnedFolderMusic 65535 This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain phone LowestValueMostSecure AllowPinnedFolderNetwork 65535 This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain phone LowestValueMostSecure AllowPinnedFolderPersonalFolder 65535 This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain phone LowestValueMostSecure AllowPinnedFolderPictures 65535 This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain phone LowestValueMostSecure AllowPinnedFolderSettings 65535 This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain phone LowestValueMostSecure AllowPinnedFolderVideos 65535 This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. text/plain phone LowestValueMostSecure DisableContextMenus 0 Enabling this policy prevents context menus from being invoked in the Start Menu. text/plain phone StartMenu.admx StartMenu~AT~StartMenu DisableContextMenusInStart LowestValueMostSecure ForceStartSize 0 text/plain phone StartMenu.admx StartMenu~AT~StartMenu ForceStartSize LastWrite HideAppList 0 Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. text/plain phone LastWrite HideChangeAccountSettings 0 Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. text/plain LowestValueMostSecure HideFrequentlyUsedApps 0 Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. text/plain phone StartMenu.admx StartMenu~AT~StartMenu NoFrequentUsedPrograms LowestValueMostSecure HideHibernate 0 Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. text/plain LowestValueMostSecure HideLock 0 Enabling this policy hides "Lock" from appearing in the user tile in the start menu. text/plain LowestValueMostSecure HidePowerButton 0 Enabling this policy hides the power button from appearing in the start menu. text/plain LowestValueMostSecure HideRecentJumplists 0 Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. text/plain phone StartMenu.admx StartMenu~AT~StartMenu NoRecentDocsHistory LowestValueMostSecure HideRecentlyAddedApps 0 Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. text/plain phone StartMenu.admx StartMenu~AT~StartMenu HideRecentlyAddedApps LowestValueMostSecure HideRestart 0 Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. text/plain LowestValueMostSecure HideShutDown 0 Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. text/plain LowestValueMostSecure HideSignOut 0 Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. text/plain LowestValueMostSecure HideSleep 0 Enabling this policy hides "Sleep" from appearing in the power button in the start menu. text/plain LowestValueMostSecure HideSwitchAccount 0 Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. text/plain LowestValueMostSecure HideUserTile 0 Enabling this policy hides the user tile from appearing in the start menu. text/plain LowestValueMostSecure ImportEdgeAssets This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified. text/plain phone LastWrite NoPinningToTaskbar 0 This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. text/plain phone HighestValueMostSecure StartLayout text/plain phone StartMenu.admx StartMenu~AT~StartMenu LockedStartLayout LastWrite Storage AllowDiskHealthModelUpdates 1 text/plain phone StorageHealth.admx StorageHealth~AT~System~StorageHealth SH_AllowDiskHealthModelUpdates LastWrite AllowStorageSenseGlobal 0 text/plain phone StorageSense.admx StorageSense~AT~System~StorageSense SS_AllowStorageSenseGlobal LastWrite AllowStorageSenseTemporaryFilesCleanup 1 text/plain phone StorageSense.admx StorageSense~AT~System~StorageSense SS_AllowStorageSenseTemporaryFilesCleanup LastWrite ConfigStorageSenseCloudContentDehydrationThreshold 0 text/plain phone StorageSense.admx StorageSense~AT~System~StorageSense SS_ConfigStorageSenseCloudContentDehydrationThreshold LastWrite ConfigStorageSenseDownloadsCleanupThreshold 0 text/plain phone StorageSense.admx StorageSense~AT~System~StorageSense SS_ConfigStorageSenseDownloadsCleanupThreshold LastWrite ConfigStorageSenseGlobalCadence 0 text/plain phone StorageSense.admx StorageSense~AT~System~StorageSense SS_ConfigStorageSenseGlobalCadence LastWrite ConfigStorageSenseRecycleBinCleanupThreshold 30 text/plain phone StorageSense.admx StorageSense~AT~System~StorageSense SS_ConfigStorageSenseRecycleBinCleanupThreshold LastWrite EnhancedStorageDevices text/plain phone enhancedstorage.admx EnhancedStorage~AT~System~EnStorDeviceAccess TCGSecurityActivationDisabled LastWrite RemovableDiskDenyWriteAccess 0 If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." text/plain RemovableStorage.admx RemovableDisks_DenyWrite_Access_2 RemovableStorage~AT~System~DeviceAccess RemovableDisks_DenyWrite_Access_2 HighestValueMostSecure System AllowBuildPreview 2 text/plain AllowBuildPreview.admx AllowBuildPreview~AT~WindowsComponents~DataCollectionAndPreviewBuilds AllowBuildPreview LowestValueMostSecure AllowCommercialDataPipeline 0 text/plain DataCollection.admx AllowCommercialDataPipeline DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds AllowCommercialDataPipeline HighestValueMostSecure AllowDeviceNameInDiagnosticData 0 This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. text/plain DataCollection.admx AllowDeviceNameInDiagnosticData DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds AllowDeviceNameInDiagnosticData LowestValueMostSecure AllowEmbeddedMode 0 text/plain LowestValueMostSecure AllowExperimentation 1 text/plain LowestValueMostSecure AllowFontProviders 1 text/plain GroupPolicy.admx GroupPolicy~AT~Network~NetworkFonts EnableFontProviders LowestValueMostSecure AllowLocation 1 text/plain Sensors.admx Sensors~AT~LocationAndSensors DisableLocation_2 LowestValueMostSecure AllowStorageCard 1 text/plain LowestValueMostSecure AllowTelemetry 3 text/plain DataCollection.admx AllowTelemetry DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds AllowTelemetry LowestValueMostSecure AllowUserToResetPhone 1 text/plain LowestValueMostSecure BootStartDriverInitialization text/plain phone earlylauncham.admx EarlyLaunchAM~AT~System~ELAMCategory POL_DriverLoadPolicy_Name LastWrite ConfigureMicrosoft365UploadEndpoint text/plain DataCollection.admx ConfigureMicrosoft365UploadEndpoint DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds ConfigureMicrosoft365UploadEndpoint LastWrite ConfigureTelemetryOptInChangeNotification 0 text/plain DataCollection.admx ConfigureTelemetryOptInChangeNotification DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds ConfigureTelemetryOptInChangeNotification HighestValueMostSecure ConfigureTelemetryOptInSettingsUx 0 text/plain DataCollection.admx ConfigureTelemetryOptInSettingsUx DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds ConfigureTelemetryOptInSettingsUx HighestValueMostSecure DisableDeviceDelete 0 text/plain DataCollection.admx DisableDeviceDelete DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds DisableDeviceDelete HighestValueMostSecure DisableDiagnosticDataViewer 0 text/plain DataCollection.admx DisableDiagnosticDataViewer DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds DisableDiagnosticDataViewer HighestValueMostSecure DisableDirectXDatabaseUpdate 0 This group policy allows control over whether the DirectX Database Updater task will be run on the system. text/plain GroupPolicy.admx GroupPolicy~AT~Network~DirectXDatabase DisableDirectXDatabaseUpdate HighestValueMostSecure DisableEnterpriseAuthProxy 0 This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. text/plain DataCollection.admx DisableEnterpriseAuthProxy DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds DisableEnterpriseAuthProxy LastWrite DisableOneDriveFileSync 0 This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. text/plain SkyDrive.admx SkyDrive~AT~WindowsComponents~OneDrive PreventOnedriveFileSync HighestValueMostSecure DisableSystemRestore text/plain phone systemrestore.admx SystemRestore~AT~System~SR SR_DisableSR LastWrite FeedbackHubAlwaysSaveDiagnosticsLocally 0 Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally. text/plain LastWrite LimitEnhancedDiagnosticDataWindowsAnalytics 0 This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. text/plain DataCollection.admx LimitEnhancedDiagnosticDataWindowsAnalytics DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds LimitEnhancedDiagnosticDataWindowsAnalytics LowestValueMostSecure TelemetryProxy text/plain DataCollection.admx TelemetryProxyName DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds TelemetryProxy LastWrite TurnOffFileHistory 0 This policy setting allows you to turn off File History. If you enable this policy setting, File History cannot be activated to create regular, automatic backups. If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. text/plain FileHistory.admx FileHistory~AT~WindowsComponents~FileHistory DisableFileHistory LowestValueMostSecure SystemServices ConfigureHomeGroupListenerServiceStartupMode 3 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. text/plain phone Windows Settings~Security Settings~System Services HomeGroup Listener LastWrite ConfigureHomeGroupProviderServiceStartupMode 3 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. text/plain phone Windows Settings~Security Settings~System Services HomeGroup Provider LastWrite ConfigureXboxAccessoryManagementServiceStartupMode 3 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. text/plain phone Windows Settings~Security Settings~System Services Xbox Accessory Management Service LastWrite ConfigureXboxLiveAuthManagerServiceStartupMode 3 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. text/plain phone Windows Settings~Security Settings~System Services Xbox Live Auth Manager LastWrite ConfigureXboxLiveGameSaveServiceStartupMode 3 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. text/plain phone Windows Settings~Security Settings~System Services Xbox Live Game Save LastWrite ConfigureXboxLiveNetworkingServiceStartupMode 3 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. text/plain phone Windows Settings~Security Settings~System Services Xbox Live Networking Service LastWrite TaskManager AllowEndTask 1 This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled text/plain HighestValueMostSecure TaskScheduler EnableXboxGameSaveTask 0 This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled. text/plain phone LastWrite TextInput AllowHardwareKeyboardTextSuggestions 1 text/plain LowestValueMostSecure AllowIMELogging 1 text/plain phone LowestValueMostSecure AllowIMENetworkAccess 1 text/plain phone LowestValueMostSecure AllowInputPanel 1 text/plain phone LowestValueMostSecure AllowJapaneseIMESurrogatePairCharacters 1 text/plain phone HighestValueMostSecure AllowJapaneseIVSCharacters 1 text/plain phone LowestValueMostSecure AllowJapaneseNonPublishingStandardGlyph 1 text/plain phone LowestValueMostSecure AllowJapaneseUserDictionary 1 text/plain phone LowestValueMostSecure AllowKeyboardTextSuggestions 1 text/plain LowestValueMostSecure AllowLanguageFeaturesUninstall 1 text/plain phone TextInput.admx TextInput~AT~WindowsComponents~TextInput AllowLanguageFeaturesUninstall LowestValueMostSecure AllowLinguisticDataCollection 1 text/plain TextInput.admx TextInput~AT~WindowsComponents~TextInput AllowLinguisticDataCollection LowestValueMostSecure EnableTouchKeyboardAutoInvokeInDesktopMode 0 text/plain LowestValueMostSecure ExcludeJapaneseIMEExceptJIS0208 0 text/plain HighestValueMostSecure ExcludeJapaneseIMEExceptJIS0208andEUDC 0 text/plain phone HighestValueMostSecure ExcludeJapaneseIMEExceptShiftJIS 0 text/plain phone HighestValueMostSecure ForceTouchKeyboardDockedState 0 text/plain HighestValueMostSecure TouchKeyboardDictationButtonAvailability 0 text/plain HighestValueMostSecure TouchKeyboardEmojiButtonAvailability 0 text/plain HighestValueMostSecure TouchKeyboardFullModeAvailability 0 text/plain HighestValueMostSecure TouchKeyboardHandwritingModeAvailability 0 text/plain HighestValueMostSecure TouchKeyboardNarrowModeAvailability 0 text/plain HighestValueMostSecure TouchKeyboardSplitModeAvailability 0 text/plain HighestValueMostSecure TouchKeyboardWideModeAvailability 0 text/plain HighestValueMostSecure TimeLanguageSettings AllowSet24HourClock 0 text/plain desktop LowestValueMostSecure ConfigureTimeZone Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. text/plain phone LastWrite Troubleshooting AllowRecommendations 1 This policy setting applies recommended troubleshooting for known problems on the device and lets administrators configure how it's applied to their domains/IT environments. Not configuring this policy setting will allow the user to configure if and how recommended troubleshooting is applied. Enabling this policy allows you to configure how recommended troubleshooting is applied on the user's device. You can select from one of the following values: 0 = Turn this feature off. 1 = Turn this feature off but still apply critical troubleshooting. 2 = Notify users when recommended troubleshooting is available, then allow the user to run or ignore it. 3 = Run recommended troubleshooting automatically and notify the user after it's been successfully run. 4 = Run recommended troubleshooting automatically without notifying the user. 5 = Allow the user to choose their own recommended troubleshooting settings. text/plain phone MSDT.admx MSDT~AT~System~Troubleshooting~WdiScenarioCategory TroubleshootingAllowRecommendations LowestValueMostSecure Update ActiveHoursEnd 17 text/plain WindowsUpdate.admx ActiveHoursEndTime WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat ActiveHours LastWrite ActiveHoursMaxRange 18 text/plain WindowsUpdate.admx ActiveHoursMaxRange WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat ActiveHoursMaxRange LastWrite ActiveHoursStart 8 text/plain WindowsUpdate.admx ActiveHoursStartTime WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat ActiveHours LastWrite AllowAutoUpdate 6 text/plain WindowsUpdate.admx AutoUpdateMode WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoUpdateCfg LowestValueMostSecure AllowAutoWindowsUpdateDownloadOverMeteredNetwork 0 text/plain WindowsUpdate.admx WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AllowAutoWindowsUpdateDownloadOverMeteredNetwork LastWrite AllowMUUpdateService 0 text/plain phone WindowsUpdate.admx AllowMUUpdateServiceId WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoUpdateCfg LowestValueMostSecure AllowNonMicrosoftSignedUpdate 1 text/plain LowestValueMostSecure AllowUpdateService 1 text/plain WindowsUpdate.admx WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat CorpWuURL LowestValueMostSecure AutomaticMaintenanceWakeUp 1 This policy setting allows you to configure Automatic Maintenance wake up policy. The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. text/plain msched.admx msched~AT~WindowsComponents~MaintenanceScheduler WakeUpPolicy HighestValueMostSecure AutoRestartDeadlinePeriodInDays 7 text/plain WindowsUpdate.admx AutoRestartDeadline WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoRestartDeadline LastWrite AutoRestartDeadlinePeriodInDaysForFeatureUpdates 7 text/plain WindowsUpdate.admx AutoRestartDeadlineForFeatureUpdates WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoRestartDeadline LastWrite AutoRestartNotificationSchedule 15 text/plain WindowsUpdate.admx AutoRestartNotificationSchd WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoRestartNotificationConfig LastWrite AutoRestartRequiredNotificationDismissal 1 text/plain WindowsUpdate.admx AutoRestartRequiredNotificationDismissal WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoRestartRequiredNotificationDismissal LastWrite BranchReadinessLevel 16 text/plain WindowsUpdate.admx BranchReadinessLevelId WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat DeferFeatureUpdates LastWrite ConfigureDeadlineForFeatureUpdates 7 text/plain WindowsUpdate.admx ConfigureDeadlineForFeatureUpdates WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat ConfigureDeadlineForFeatureUpdates LastWrite ConfigureDeadlineForQualityUpdates 7 text/plain WindowsUpdate.admx ConfigureDeadlineForQualityUpdates WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat ConfigureDeadlineForQualityUpdates LastWrite ConfigureDeadlineGracePeriod 2 text/plain WindowsUpdate.admx ConfigureDeadlineGracePeriod WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat ConfigureDeadlineGracePeriod LastWrite ConfigureDeadlineNoAutoReboot 0 text/plain WindowsUpdate.admx ConfigureDeadlineNoAutoReboot WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat ConfigureDeadlineNoAutoReboot HighestValueMostSecure ConfigureFeatureUpdateUninstallPeriod 10 Enable enterprises/IT admin to configure feature update uninstall period text/plain LastWrite DeferFeatureUpdatesPeriodInDays 0 text/plain WindowsUpdate.admx DeferFeatureUpdatesPeriodId WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat DeferFeatureUpdates LastWrite DeferQualityUpdatesPeriodInDays 0 text/plain WindowsUpdate.admx DeferQualityUpdatesPeriodId WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat DeferQualityUpdates LastWrite DeferUpdatePeriod 0 text/plain WindowsUpdate.admx DeferUpdatePeriodId WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat DeferUpgrade LastWrite DeferUpgradePeriod 0 text/plain WindowsUpdate.admx DeferUpgradePeriodId WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat DeferUpgrade LastWrite DetectionFrequency 22 text/plain WindowsUpdate.admx DetectionFrequency_Hour2 WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat DetectionFrequency_Title LastWrite DisableDualScan 0 Do not allow update deferral policies to cause scans against Windows Update text/plain WindowsUpdate.admx WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat DisableDualScan LastWrite EngagedRestartDeadline 14 text/plain WindowsUpdate.admx EngagedRestartDeadline WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat EngagedRestartTransitionSchedule LastWrite EngagedRestartDeadlineForFeatureUpdates 14 text/plain WindowsUpdate.admx EngagedRestartDeadlineForFeatureUpdates WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat EngagedRestartTransitionSchedule LastWrite EngagedRestartSnoozeSchedule 3 text/plain WindowsUpdate.admx EngagedRestartSnoozeSchedule WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat EngagedRestartTransitionSchedule LastWrite EngagedRestartSnoozeScheduleForFeatureUpdates 3 text/plain WindowsUpdate.admx EngagedRestartSnoozeScheduleForFeatureUpdates WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat EngagedRestartTransitionSchedule LastWrite EngagedRestartTransitionSchedule 7 text/plain WindowsUpdate.admx EngagedRestartTransitionSchedule WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat EngagedRestartTransitionSchedule LastWrite EngagedRestartTransitionScheduleForFeatureUpdates 7 text/plain WindowsUpdate.admx EngagedRestartTransitionScheduleForFeatureUpdates WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat EngagedRestartTransitionSchedule LastWrite ExcludeWUDriversInQualityUpdate 0 text/plain WindowsUpdate.admx WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat ExcludeWUDriversInQualityUpdate LastWrite FillEmptyContentUrls 0 text/plain WindowsUpdate.admx CorpWUFillEmptyContentUrls WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat CorpWuURL LastWrite IgnoreMOAppDownloadLimit 0 text/plain LowestValueMostSecure IgnoreMOUpdateDownloadLimit 0 text/plain LowestValueMostSecure ManagePreviewBuilds 3 text/plain WindowsUpdate.admx ManagePreviewBuildsId WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat ManagePreviewBuilds LastWrite PauseDeferrals 0 text/plain WindowsUpdate.admx PauseDeferralsId WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat DeferUpgrade LastWrite PauseFeatureUpdates 0 text/plain WindowsUpdate.admx PauseFeatureUpdatesId WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat DeferFeatureUpdates LastWrite PauseFeatureUpdatesStartTime text/plain WindowsUpdate.admx PauseFeatureUpdatesStartId WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat DeferFeatureUpdates LastWrite PauseQualityUpdates 0 text/plain WindowsUpdate.admx PauseQualityUpdatesId WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat DeferQualityUpdates LastWrite PauseQualityUpdatesStartTime text/plain WindowsUpdate.admx PauseQualityUpdatesStartId WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat DeferQualityUpdates LastWrite PhoneUpdateRestrictions 4 text/plain LowestValueMostSecure RequireDeferUpgrade 0 text/plain WindowsUpdate.admx DeferUpgradePeriodId WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat DeferUpgrade LastWrite RequireUpdateApproval 0 text/plain HighestValueMostSecure ScheduledInstallDay 0 text/plain WindowsUpdate.admx AutoUpdateSchDay WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoUpdateCfg LowestValueMostSecure ScheduledInstallEveryWeek 1 text/plain WindowsUpdate.admx AutoUpdateSchEveryWeek WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoUpdateCfg LowestValueMostSecure ScheduledInstallFirstWeek 0 text/plain WindowsUpdate.admx AutoUpdateSchFirstWeek WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoUpdateCfg LowestValueMostSecure ScheduledInstallFourthWeek 0 text/plain WindowsUpdate.admx ScheduledInstallFourthWeek WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoUpdateCfg LowestValueMostSecure ScheduledInstallSecondWeek 0 text/plain WindowsUpdate.admx ScheduledInstallSecondWeek WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoUpdateCfg LowestValueMostSecure ScheduledInstallThirdWeek 0 text/plain WindowsUpdate.admx ScheduledInstallThirdWeek WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoUpdateCfg LowestValueMostSecure ScheduledInstallTime 3 text/plain WindowsUpdate.admx AutoUpdateSchTime WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoUpdateCfg LowestValueMostSecure ScheduleImminentRestartWarning 15 text/plain WindowsUpdate.admx RestartWarn WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat RestartWarnRemind LastWrite ScheduleRestartWarning 4 text/plain WindowsUpdate.admx RestartWarnRemind WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat RestartWarnRemind LastWrite SetAutoRestartNotificationDisable 0 text/plain WindowsUpdate.admx AutoRestartNotificationSchd WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat AutoRestartNotificationDisable LastWrite SetDisablePauseUXAccess 0 text/plain WindowsUpdate.admx WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat SetDisablePauseUXAccess LastWrite SetDisableUXWUAccess 0 text/plain WindowsUpdate.admx WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat SetDisableUXWUAccess LastWrite SetEDURestart 0 text/plain WindowsUpdate.admx WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat SetEDURestart LastWrite UpdateNotificationLevel 0 text/plain WindowsUpdate.admx WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat UpdateNotificationLevel LastWrite UpdateServiceUrl CorpWSUS text/plain WindowsUpdate.admx CorpWUURL_Name WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat CorpWuURL LastWrite UpdateServiceUrlAlternate text/plain phone WindowsUpdate.admx CorpWUContentHost_Name WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat CorpWuURL LastWrite UserRights AccessCredentialManagerAsTrustedCaller This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Access Credential Manager ase a trusted caller LastWrite 0xF000 AccessFromNetwork This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Access this computer from the network LastWrite 0xF000 ActAsPartOfTheOperatingSystem This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Act as part of the operating system LastWrite 0xF000 AllowLocalLogOn This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Allow log on locally LastWrite 0xF000 BackupFilesAndDirectories This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Back up files and directories LastWrite 0xF000 ChangeSystemTime This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Change the system time LastWrite 0xF000 CreateGlobalObjects This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Create global objects LastWrite 0xF000 CreatePageFile This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Create a pagefile LastWrite 0xF000 CreatePermanentSharedObjects This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Create permanent shared objects LastWrite 0xF000 CreateSymbolicLinks This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Create symbolic links LastWrite 0xF000 CreateToken This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Create a token object LastWrite 0xF000 DebugPrograms This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Debug programs LastWrite 0xF000 DenyAccessFromNetwork This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Deny access to this computer from the network LastWrite 0xF000 DenyLocalLogOn This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Deny log on as a service LastWrite 0xF000 DenyRemoteDesktopServicesLogOn This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Deny log on through Remote Desktop Services LastWrite 0xF000 EnableDelegation This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Enable computer and user accounts to be trusted for delegation LastWrite 0xF000 GenerateSecurityAudits This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Generate security audits LastWrite 0xF000 ImpersonateClient Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that is being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Impersonate a client after authentication LastWrite 0xF000 IncreaseSchedulingPriority This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Increase scheduling priority LastWrite 0xF000 LoadUnloadDeviceDrivers This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Load and unload device drivers LastWrite 0xF000 LockMemory This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Lock pages in memory LastWrite 0xF000 ManageAuditingAndSecurityLog This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Manage auditing and security log LastWrite 0xF000 ManageVolume This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Perform volume maintenance tasks LastWrite 0xF000 ModifyFirmwareEnvironment This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Modify firmware environment values LastWrite 0xF000 ModifyObjectLabel This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Modify an object label LastWrite 0xF000 ProfileSingleProcess This user right determines which users can use performance monitoring tools to monitor the performance of system processes. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Profile single process LastWrite 0xF000 RemoteShutdown This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Force shutdown from a remote system LastWrite 0xF000 RestoreFilesAndDirectories This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Restore files and directories LastWrite 0xF000 TakeOwnership This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. text/plain phone Windows Settings~Security Settings~Local Policies~User Rights Assignment Take ownership of files or other objects LastWrite 0xF000 Wifi AllowAutoConnectToWiFiSenseHotspots 1 text/plain wlansvc.admx wlansvc~AT~Network~WlanSvc_Category~WlanSettings_Category WiFiSense LowestValueMostSecure AllowInternetSharing 1 text/plain NetworkConnections.admx NetworkConnections~AT~Network~NetworkConnections NC_ShowSharedAccessUI LowestValueMostSecure AllowManualWiFiConfiguration 1 text/plain LowestValueMostSecure AllowWiFi 1 text/plain LowestValueMostSecure AllowWiFiDirect 1 text/plain LowestValueMostSecure WLANScanMode 0 text/plain HighestValueMostSecureZeroHasNoLimits WindowsConnectionManager ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork text/plain phone WCM.admx WCM~AT~Network~WCM_Category WCM_BlockNonDomain LastWrite WindowsDefenderSecurityCenter CompanyName text/plain phone WindowsDefenderSecurityCenter.admx Presentation_EnterpriseCustomization_CompanyName WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization EnterpriseCustomization_CompanyName LastWrite DisableAccountProtectionUI 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AccountProtection AccountProtection_UILockdown LastWrite DisableAppBrowserUI 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection AppBrowserProtection_UILockdown LastWrite DisableClearTpmButton 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity DeviceSecurity_DisableClearTpmButton LastWrite DisableDeviceSecurityUI 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity DeviceSecurity_UILockdown LastWrite DisableEnhancedNotifications 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications Notifications_DisableEnhancedNotifications LastWrite DisableFamilyUI 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FamilyOptions FamilyOptions_UILockdown LastWrite DisableHealthUI 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DevicePerformanceHealth DevicePerformanceHealth_UILockdown LastWrite DisableNetworkUI 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FirewallNetworkProtection FirewallNetworkProtection_UILockdown LastWrite DisableNotifications 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications Notifications_DisableNotifications LastWrite DisableTpmFirmwareUpdateWarning 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity DeviceSecurity_DisableTpmFirmwareUpdateWarning LastWrite DisableVirusUI 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection VirusThreatProtection_UILockdown LastWrite DisallowExploitProtectionOverride 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection AppBrowserProtection_DisallowExploitProtectionOverride LastWrite Email text/plain phone WindowsDefenderSecurityCenter.admx Presentation_EnterpriseCustomization_Email WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization EnterpriseCustomization_Email LastWrite EnableCustomizedToasts 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization EnterpriseCustomization_EnableCustomizedToasts LastWrite EnableInAppCustomization 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization EnterpriseCustomization_EnableInAppCustomization LastWrite HideRansomwareDataRecovery 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection VirusThreatProtection_HideRansomwareRecovery LastWrite HideSecureBoot 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity DeviceSecurity_HideSecureBoot LastWrite HideTPMTroubleshooting 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity DeviceSecurity_HideTPMTroubleshooting LastWrite HideWindowsSecurityNotificationAreaControl 0 text/plain phone WindowsDefenderSecurityCenter.admx WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Systray Systray_HideSystray LastWrite Phone text/plain phone WindowsDefenderSecurityCenter.admx Presentation_EnterpriseCustomization_Phone WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization EnterpriseCustomization_Phone LastWrite URL text/plain phone WindowsDefenderSecurityCenter.admx Presentation_EnterpriseCustomization_URL WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization EnterpriseCustomization_URL LastWrite WindowsInkWorkspace AllowSuggestedAppsInWindowsInkWorkspace 1 text/plain phone WindowsInkWorkspace.admx WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace AllowSuggestedAppsInWindowsInkWorkspace LowestValueMostSecure AllowWindowsInkWorkspace 2 text/plain phone WindowsInkWorkspace.admx AllowWindowsInkWorkspaceDropdown WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace AllowWindowsInkWorkspace LowestValueMostSecure WindowsLogon AllowAutomaticRestartSignOn text/plain phone WinLogon.admx WinLogon~AT~WindowsComponents~Logon AutomaticRestartSignOn LastWrite ConfigAutomaticRestartSignOn text/plain phone WinLogon.admx WinLogon~AT~WindowsComponents~Logon ConfigAutomaticRestartSignOn LastWrite DisableLockScreenAppNotifications text/plain phone logon.admx Logon~AT~System~Logon DisableLockScreenAppNotifications LastWrite DontDisplayNetworkSelectionUI text/plain phone logon.admx Logon~AT~System~Logon DontDisplayNetworkSelectionUI LastWrite EnableFirstLogonAnimation 1 This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. Note: The first sign-in animation will not be shown on Server, so this policy will have no effect. text/plain Logon.admx Logon~AT~System~Logon EnableFirstLogonAnimation HighestValueMostSecure EnumerateLocalUsersOnDomainJoinedComputers text/plain phone logon.admx Logon~AT~System~Logon EnumerateLocalUsers LastWrite HideFastUserSwitching 0 This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. text/plain Logon.admx Logon~AT~System~Logon HideFastUserSwitching HighestValueMostSecure WindowsPowerShell TurnOnPowerShellScriptBlockLogging text/plain phone PowerShellExecutionPolicy.admx PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell EnableScriptBlockLogging LastWrite WirelessDisplay AllowMdnsAdvertisement 1 This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. text/plain LowestValueMostSecure AllowMdnsDiscovery 1 This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. text/plain LowestValueMostSecure AllowProjectionFromPC 1 This policy allows you to turn off projection from a PC. If you set it to 0, your PC cannot discover or project to other devices. If you set it to 1, your PC can discover and project to other devices. text/plain LowestValueMostSecure AllowProjectionFromPCOverInfrastructure 1 This policy allows you to turn off projection from a PC over infrastructure. If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. If you set it to 1, your PC can discover and project to other devices over infrastructure. text/plain LowestValueMostSecure AllowProjectionToPC 1 This policy setting allows you to turn off projection to a PC If you set it to 0, your PC isn't discoverable and can't be projected to If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. text/plain phone WirelessDisplay.admx WirelessDisplay~AT~WindowsComponents~Connect AllowProjectionToPC LowestValueMostSecure AllowProjectionToPCOverInfrastructure 1 This policy setting allows you to turn off projection to a PC over infrastructure. If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. text/plain LowestValueMostSecure AllowUserInputFromWirelessDisplayReceiver 1 text/plain LowestValueMostSecure RequirePinForPairing 0 This policy setting allows you to require a pin for pairing. If you set this to 0, a pin isn't required for pairing. If you set this to 1, the pairing ceremony for new devices will always require a PIN. If you set this to 2, all pairings will require PIN. text/plain WirelessDisplay.admx WirelessDisplay~AT~WindowsComponents~Connect RequirePinForPairing LastWrite ```