ef1c69b439
* smb adds * smb adds * formatting * private preview and support content * edit removed and dep * Fix blocking issues * Acro-fix * 24H2 CSP Updates * Fix link * fix link in dep page * edit * edit index file * syntax-fix-24h2 * ltsc-edits * ltsc-edits * lichris-docs-1 * Acrolinx improvements * refresh for maxado-8631996 * update link for maxado-8631993 * additional edits, acrolinx * ltsc-tw * contentsource-8914508 * contentsource-8914508 * Updates for 1 October release * Set stale debug to false * update gp link for 24h2 * additional changes * Changes to updates, acrolinx changes * fixes broken links * Fixed alignment issues * updates from Rafal * fixed acrolinx * so many link fixes * added release notes and troubleshoot content * updates * Update security-compliance-toolkit-10.md Added Windows 11 24H2 * Update get-support-for-security-baselines.md Updated for Windows 11 24H2 * bump date * bump date * fix pde comment * fixing broken link * Fix broken redirections * fix to rel link * reset head, fix link * add cli to deploy, add script to cli * removing "mcce" * edits to create page * Update default and global release policies OS version and dates to latest release values * emoved e from mcce and other changes * updated example script * added important notice to update page * more update page changes * clarified how proxy configuration is used * anonymizing variables in example script * revise example script * acrolinx fixes to update page * changes to other pages and content in overview page * Update broken link Update broken link * Update windows-sandbox-configure-using-wsb-file.md Update `HostFolder` value description in `MappedFolder`, specifying that the path could be absolute or relative, not only absolute as, instead, is for the `SandboxFolder` value. * Remove bad link Removed bad link. There is already a second link referring to content so no need to replace the link. * docfx update for security book * Correct TOC entry changing Windows 10 to Windows * Update whats-new-do.md - Vpn to VPN - Minor improvements * Updated date for freshness reporting * Add EOS callout Fix some obvious Acrolinx issues * Fixed typo added clarity * Update mcc-ent-deploy-to-windows.md * Update .openpublishing.redirection.windows-deployment.json * Update .openpublishing.redirection.windows-deployment.json * Update policy-csp-localpoliciessecurityoptions.md * Correct indentation and spacing * Acrolinx: "Enteprise" * Update mcc-ent-edu-overview.md * refresh * Remove redirection and final bits of store-for-business store-for-business, AKA /microsoft-store/, is retired, and the content is archived in officearchive-pr. This archival was for ADO task 9268422. * added support content and other changes * fixed tabs * fixed tabs * Updated device reg policy and group information * Update delivery-optimization-endpoints.md Added a line item in MCC table for Outlook *res.cdn.office.net requirement * freshness review * Fix broken links * Minor change * content for faq * changes to landing page * more content to faqs * pencil edit * add copilot exps link * edits and ren cli file temporarily * ren file back and edit toc to lowercase * edit * edit * edit * Update windows-autopatch-configure-network.md Adding a new network endpoint required for the service 'device.autopatch.microsoft.com' @tiaraquan * Clarify some points and remove data that is confusing to customers. * fix syntax * Sentence correction * Update windows/deployment/do/waas-delivery-optimization-faq.yml Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com> * Update windows/deployment/do/waas-delivery-optimization-faq.yml Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com> * moved shortcuts under policy settings article --------- Co-authored-by: Alma Jenks <v-alje@microsoft.com> Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com> Co-authored-by: Stacyrch140 <102548089+Stacyrch140@users.noreply.github.com> Co-authored-by: Nidhi Doshi <77081571+doshnid@users.noreply.github.com> Co-authored-by: Gary Moore <5432776+garycentric@users.noreply.github.com> Co-authored-by: Vinay Pamnani (from Dev Box) <vinpa@microsoft.com> Co-authored-by: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Co-authored-by: Aaron Czechowski <aczechowski@users.noreply.github.com> Co-authored-by: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com> Co-authored-by: Daniel H. Brown <32883970+DHB-MSFT@users.noreply.github.com> Co-authored-by: David Strome <21028455+dstrome@users.noreply.github.com> Co-authored-by: Padma Jayaraman <v-padmaj@microsoft.com> Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Co-authored-by: Rebecca Agiewich <16087112+rjagiewich@users.noreply.github.com> Co-authored-by: Rick Munck <33725928+jmunck@users.noreply.github.com> Co-authored-by: Tanaka <Huios@users.noreply.github.com> Co-authored-by: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Co-authored-by: Frank Rojas <45807133+frankroj@users.noreply.github.com> Co-authored-by: Davide Piccinini <davide.piccinini.95@gmail.com> Co-authored-by: Phil Garcia <phil@thinkedge.com> Co-authored-by: Learn Build Service GitHub App <Learn Build Service LearnBuild@microsoft.com> Co-authored-by: tiaraquan <tiaraquan@microsoft.com> Co-authored-by: Caitlin Hart <caithart@microsoft.com> Co-authored-by: Harman Thind <63820404+hathin@users.noreply.github.com> Co-authored-by: [cmknox] <[cmknox@gmail.com]> Co-authored-by: Carmen Forsmann <cmforsmann@live.com>
14 KiB
title, description, ms.date
| title | description | ms.date |
|---|---|---|
| ADMX_AppXRuntime Policy CSP | Learn more about the ADMX_AppXRuntime Area in Policy CSP. | 09/27/2024 |
Policy CSP - ADMX_AppXRuntime
[!INCLUDE ADMX-backed CSP tip]
AppxRuntimeApplicationContentUriRules
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all packaged Microsoft Store apps that use the enterpriseAuthentication capability on a computer.
-
If you enable this policy setting, you can define additional Content URI Rules that all packaged Microsoft Store apps that use the enterpriseAuthentication capability on a computer can use.
-
If you disable or don't set this policy setting, packaged Microsoft Store apps will only use the static Content URI Rules.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
[!INCLUDE ADMX-backed policy note]
ADMX mapping:
| Name | Value |
|---|---|
| Name | AppxRuntimeApplicationContentUriRules |
| Friendly Name | Turn on dynamic Content URI Rules for packaged Microsoft Store apps |
| Location | Computer Configuration |
| Path | Windows Components > App runtime |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Packages\Applications |
| Registry Value Name | EnableDynamicContentUriRules |
| ADMX File Name | AppXRuntime.admx |
AppxRuntimeBlockFileElevation
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockFileElevation
./Device/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockFileElevation
This policy setting lets you control whether packaged Microsoft Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than packaged Microsoft Store apps, there is a risk that a packaged Microsoft Store app might compromise the system by opening a file in the default desktop app for a file type.
-
If you enable this policy setting, packaged Microsoft Store apps can't open files in the default desktop app for a file type; they can open files only in other packaged Microsoft Store apps.
-
If you disable or don't configure this policy setting, packaged Microsoft Store apps can open files in the default desktop app for a file type.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
[!INCLUDE ADMX-backed policy note]
ADMX mapping:
| Name | Value |
|---|---|
| Name | AppxRuntimeBlockFileElevation |
| Friendly Name | Block launching desktop apps associated with a file. |
| Location | Computer and User Configuration |
| Path | Windows Components > App runtime |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations |
| Registry Value Name | BlockFileElevation |
| ADMX File Name | AppXRuntime.admx |
AppxRuntimeBlockHostedAppAccessWinRT
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT
This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched.
-
If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest can't be launched; Universal Windows apps which haven't declared Windows Runtime API access in the manifest aren't affected.
-
If you disable or don't configure this policy setting, all Universal Windows apps can be launched.
This policy shouldn't be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
[!INCLUDE ADMX-backed policy note]
ADMX mapping:
| Name | Value |
|---|---|
| Name | AppxRuntimeBlockHostedAppAccessWinRT |
| Friendly Name | Block launching Universal Windows apps with Windows Runtime API access from hosted content. |
| Location | Computer Configuration |
| Path | Windows Components > App runtime |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | BlockHostedAppAccessWinRT |
| ADMX File Name | AppXRuntime.admx |
AppxRuntimeBlockProtocolElevation
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation
./Device/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation
This policy setting lets you control whether packaged Microsoft Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than packaged Microsoft Store apps, there is a risk that a URI scheme launched by a packaged Microsoft Store app might compromise the system by launching a desktop app.
-
If you enable this policy setting, packaged Microsoft Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other packaged Microsoft Store apps.
-
If you disable or don't configure this policy setting, packaged Microsoft Store apps can open URIs in the default desktop app for a URI scheme.
Note
Enabling this policy setting doesn't block packaged Microsoft Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
[!INCLUDE ADMX-backed policy note]
ADMX mapping:
| Name | Value |
|---|---|
| Name | AppxRuntimeBlockProtocolElevation |
| Friendly Name | Block launching desktop apps associated with a URI scheme |
| Location | Computer and User Configuration |
| Path | Windows Components > App runtime |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations |
| Registry Value Name | BlockProtocolElevation |
| ADMX File Name | AppXRuntime.admx |