--- title: Policy CSP - ApplicationManagement description: Policy CSP - ApplicationManagement ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque ms.date: 07/11/2018 --- # Policy CSP - ApplicationManagement > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## ApplicationManagement policies
ApplicationManagement/AllowAllTrustedApps
ApplicationManagement/AllowAppStoreAutoUpdate
ApplicationManagement/AllowDeveloperUnlock
ApplicationManagement/AllowGameDVR
ApplicationManagement/AllowSharedUserAppData
ApplicationManagement/AllowStore
ApplicationManagement/ApplicationRestrictions
ApplicationManagement/DisableStoreOriginatedApps
ApplicationManagement/LaunchAppAfterLogOn
ApplicationManagement/MSIAllowUserControlOverInstall
ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
ApplicationManagement/RequirePrivateStoreOnly
ApplicationManagement/RestrictAppDataToSystemVolume
ApplicationManagement/RestrictAppToSystemVolume
ApplicationManagement/ScheduleForceRestartForUpdateFailures
**ApplicationManagement/AllowAllTrustedApps**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark check mark check mark
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device
Specifies whether non Microsoft Store apps are allowed. Most restricted value is 0. ADMX Info: - GP English name: *Allow all trusted apps to install* - GP name: *AppxDeploymentAllowAllTrustedApps* - GP path: *Windows Components/App Package Deployment* - GP ADMX file name: *AppxPackageManager.admx* The following list shows the supported values: - 0 - Explicit deny. - 1 - Explicit allow unlock. - 65535 (default) - Not configured.
**ApplicationManagement/AllowAppStoreAutoUpdate**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark check mark check mark
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device
Specifies whether automatic update of apps from Microsoft Store are allowed. Most restricted value is 0. ADMX Info: - GP English name: *Turn off Automatic Download and Install of updates* - GP name: *DisableAutoInstall* - GP path: *Windows Components/Store* - GP ADMX file name: *WindowsStore.admx* The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed.
**ApplicationManagement/AllowDeveloperUnlock**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark check mark check mark
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device
Specifies whether developer unlock is allowed. Most restricted value is 0. ADMX Info: - GP English name: *Allows development of Windows Store apps and installing them from an integrated development environment (IDE)* - GP name: *AllowDevelopmentWithoutDevLicense* - GP path: *Windows Components/App Package Deployment* - GP ADMX file name: *AppxPackageManager.admx* The following list shows the supported values: - 0 - Explicit deny. - 1 - Explicit allow unlock. - 65535 (default) - Not configured.
**ApplicationManagement/AllowGameDVR**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device
> [!NOTE] > The policy is only enforced in Windows 10 for desktop. Specifies whether DVR and broadcasting is allowed. Most restricted value is 0. ADMX Info: - GP English name: *Enables or disables Windows Game Recording and Broadcasting* - GP name: *AllowGameDVR* - GP path: *Windows Components/Windows Game Recording and Broadcasting* - GP ADMX file name: *GameDVR.admx* The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed.
**ApplicationManagement/AllowSharedUserAppData**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark check mark check mark
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device
Specifies whether multiple users of the same app can share data. Most restricted value is 0. ADMX Info: - GP English name: *Allow a Windows app to share application data between users* - GP name: *AllowSharedLocalAppData* - GP path: *Windows Components/App Package Deployment* - GP ADMX file name: *AppxPackageManager.admx* The following list shows the supported values: - 0 (default) – Not allowed. - 1 – Allowed.
**ApplicationManagement/AllowStore**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark cross mark cross mark cross mark cross mark check mark check mark
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device
Specifies whether app store is allowed at the device. Most restricted value is 0. The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed.
**ApplicationManagement/ApplicationRestrictions**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark cross mark cross mark cross mark cross mark check mark check mark
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device
> [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.   An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md). > [!NOTE] > When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps. > > Here's additional guidance for the upgrade process: > > - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents). > - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it. > - In the SyncML, you must use lowercase product ID. > - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error. > - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents). An application that is running may not be immediately terminated. Value type is chr. Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.
**ApplicationManagement/DisableStoreOriginatedApps**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark cross mark check mark1 check mark1 check mark1 cross mark cross mark
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device
Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. ADMX Info: - GP English name: *Disable all apps from Microsoft Store * - GP name: *DisableStoreApps* - GP path: *Windows Components/Store* - GP ADMX file name: *WindowsStore.admx* The following list shows the supported values: - 0 (default) – Enable launch of apps. - 1 – Disable launch of apps.
**ApplicationManagement/LaunchAppAfterLogOn**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark5 check mark5 check mark5 check mark5
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device
List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are launched after logon. This policy allows the IT admin to specify a list of applications that users can run after logging on to the device. For this policy to work, the Windows apps need to declare in their manifest that they will use the start up task. Example of the declaration here: ``` syntax ``` > [!Note] > This policy only works on modern apps.
**ApplicationManagement/MSIAllowUserControlOverInstall**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark4 check mark4 check mark4 check mark4 cross mark cross mark
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device
Added in Windows 10, version 1803. This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation. If you disable or do not configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed. ADMX Info: - GP English name: *Allow user control over installs* - GP name: *EnableUserControl* - GP path: *Windows Components/Windows Installer* - GP ADMX file name: *MSI.admx* This setting supports a range of values between 0 and 1.
**ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark4 check mark4 check mark4 check mark4 cross mark cross mark
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * User > * Device
Added in Windows 10, version 1803. This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure. ADMX Info: - GP English name: *Always install with elevated privileges* - GP name: *AlwaysInstallElevated* - GP path: *Windows Components/Windows Installer* - GP ADMX file name: *MSI.admx* This setting supports a range of values between 0 and 1.
**ApplicationManagement/RequirePrivateStoreOnly**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark cross mark check mark check mark check mark check mark check mark
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * User > * Device
Allows disabling of the retail catalog and only enables the Private store. Most restricted value is 1. ADMX Info: - GP English name: *Only display the private store within the Microsoft Store* - GP name: *RequirePrivateStoreOnly* - GP path: *Windows Components/Store* - GP ADMX file name: *WindowsStore.admx* The following list shows the supported values: - 0 (default) – Allow both public and Private store. - 1 – Only Private store is enabled.
**ApplicationManagement/RestrictAppDataToSystemVolume**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark check mark check mark
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device
Specifies whether application data is restricted to the system drive. Most restricted value is 1. ADMX Info: - GP English name: *Prevent users' app data from being stored on non-system volumes* - GP name: *RestrictAppDataToSystemVolume* - GP path: *Windows Components/App Package Deployment* - GP ADMX file name: *AppxPackageManager.admx* The following list shows the supported values: - 0 (default) – Not restricted. - 1 – Restricted.
**ApplicationManagement/RestrictAppToSystemVolume**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark check mark check mark
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device
Specifies whether the installation of applications is restricted to the system drive. Most restricted value is 1. ADMX Info: - GP English name: *Disable installing Windows apps on non-system volumes* - GP name: *DisableDeploymentToNonSystemVolumes* - GP path: *Windows Components/App Package Deployment* - GP ADMX file name: *AppxPackageManager.admx* The following list shows the supported values: - 0 (default) – Not restricted. - 1 – Restricted.
**ApplicationManagement/ScheduleForceRestartForUpdateFailures**
Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark cross mark cross mark check mark5 check mark5
[Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] > * Device
To ensure apps are up-to-date, this policy allows the admins to set a recurring or one time date to restart apps whose update failed due to the app being in use allowing the update to be applied. Value type is string. Sample SyncML: ``` syntax 2 ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ScheduleForceRestartForUpdateFailures xml ``` XSD: ``` syntax ```
Footnote: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - 5 - Added in the next major release of Windows 10. ## ApplicationManagement policies supported by Windows Holographic for Business - [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) - [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) - [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) ## ApplicationManagement policies supported by IoT Core - [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)