mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-20 09:17:25 +00:00

Nicholas Brower b104c0cf6f Merged PR 2969: fixing admx info

automation update: GP path, and e->English name; re-orders a few policies as well, and adjusts white-space; one null SKU deleted

2017-08-30 22:50:41 +00:00

14 KiB

Raw Blame History

title, description, ms.author, ms.topic, ms.prod, ms.technology, author, ms.date

title	description	ms.author	ms.topic	ms.prod	ms.technology	author	ms.date
Policy CSP - Security	Policy CSP - Security	maricia	article	w10	windows	nickbrower	08/30/2017

Policy CSP - Security

Warning

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Security policies

Security/AllowAddProvisioningPackage

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise

Specifies whether to allow the runtime configuration agent to install provisioning packages.

The following list shows the supported values:

0 – Not allowed.
1 (default) – Allowed.

Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise

Note

This policy has been deprecated in Windows 10, version 1607

Note

This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.

The following list shows the supported values:

0 – Not allowed.
1 (default) – Allowed.

Security/AllowManualRootCertificateInstallation

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise

Note

This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Specifies whether the user is allowed to manually install root and intermediate CA certificates.

The following list shows the supported values:

0 – Not allowed.
1 (default) – Allowed.

Most restricted value is 0.

Security/AllowRemoveProvisioningPackage

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise

Specifies whether to allow the runtime configuration agent to remove provisioning packages.

The following list shows the supported values:

0 – Not allowed.
1 (default) – Allowed.

Security/AntiTheftMode

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise

Note

This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Allows or disallow Anti Theft Mode on the device.

The following list shows the supported values:

0 – Don't allow Anti Theft Mode.
1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).

Security/ClearTPMIfNotReady

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise
	³	³	³	³

Note

This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.

The following list shows the supported values:

0 (default) – Will not force recovery from a non-ready TPM state.
1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.

Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise
	¹		¹	¹

Note

This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.

Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.

The following list shows the supported values:

0 (default) – Encryption enabled.
1 – Encryption disabled.

Security/RequireDeviceEncryption

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise

Note

This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the DeviceStatus CSP node DeviceStatus/Compliance/EncryptionCompliance.

Allows enterprise to turn on internal storage encryption.

The following list shows the supported values:

0 (default) – Encryption is not required.
1 – Encryption is required.

Most restricted value is 1.

Important

If encryption has been enabled, it cannot be turned off by using this policy.

Security/RequireProvisioningPackageSignature

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise

Specifies whether provisioning packages must have a certificate signed by a device trusted authority.

The following list shows the supported values:

0 (default) – Not required.
1 – Required.

Security/RequireRetrieveHealthCertificateOnBoot

Home	Pro	Business	Enterprise	Education	Mobile	Mobile Enterprise

Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.

The following list shows the supported values:

0 (default) – Not required.
1 – Required.

Setting this policy to 1 (Required):

Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0.
Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.