| Policy ID | Policy Setting | Description |
| 2 | Auto Run Policy SECPOLICY_CFAUTORUN | This setting indicates whether applications stored on a Multimedia Card (MMC) are allowed to auto-run when inserted into the device. Default value is 0 for Windows Mobile 6 Professional. The value is not set for Windows Mobile 6 Standard. The following list shows the possible values: - 0 indicates that applications are allowed to run automatically
- 1 indicates that applications are restricted from running automatically
The required role to modify this policy is SECROLE_MANAGER. |
| | | |
| | | |
| 4097 | RAPI Policy SECPOLICY_RAPI | This setting restricts the access of remote applications that are using Remote API (RAPI) to implement ActiveSync operations on Windows Mobile powered devices. Default value is 2 for Windows Mobile. The following list shows the possible values: - 0 indicates that the ActiveSync service is shut down. RAPI calls are rejected.
- 1 indicates full access to ActiveSync is provided. RAPI calls are allowed to process without restrictions.
- 2 indicates that access to ActiveSync is restricted to the SECROLE_USER_AUTH (User Authenticated) role. RAPI calls are checked against this role mask before they are granted.
The required role to modify this policy is SECROLE_MANAGER. |
| 4101 | Unsigned CABS Policy SECPOLICY_UNSIGNEDCABS | This setting indicates whether unsigned .cab files can be installed on the device. On Windows Mobile 6 Standard, accepted unsigned .cab files are installed with the role mask specified by the policy value. For Windows Mobile 6 Standard, if a signed .cab file does not have a matching root certificate in the Software Publisher Certificate (SPC) store, the file is unsigned. You should always use SECPOLICY_UNSIGNEDCABS together with SECPOLICY_UNSIGNEDAPPS. This means that when you block unsigned application from running, you should also block unsigned cab files from getting installed. .gif) Note: |
|---|
| CAB Provisioning Format files — files with a .cpf extension — are processed the same as .cab files when the files are signed. However, when the .cpf file is unsigned the loader processes the .cpf files in silent mode, which means that the user will not get a prompt asking if the user wants to proceed with loading the unsigned file. In this case, the loading process fails. |
Default value is SECROLE_USER_AUTH for Windows Mobile. The following list shows the possible values: - SECROLE_USER_AUTH indicates that Unsigned .cab files will be installed under the SECROLE_USER_AUTH role.
- 0 is equivalent to having none of the role mask bits set, and means that no unsigned .cab files can be installed.
- A specified role mask indicates accepted unsigned .cab files are installed with the role mask specified.
The required role to modify this policy is SECROLE_MANAGER. |
| 4102 | Unsigned Applications Policy SECPOLICY_UNSIGNEDAPPS | This setting indicates whether unsigned applications are allowed to run on Windows Mobile powered devices. If a signed application does not have a matching root certificate in the Privileged Execution Trust Authorities or the Unprivileged Execution Trust Authorities certificate store, the application is unsigned. You should always use SECPOLICY_UNSIGNEDCABS together with SECPOLICY_UNSIGNEDAPPS policy. This means that when you block unsigned applications from running, you should also block unsigned cab files from getting installed on the device. Default value is 1 for Windows Mobile. The following list shows the possible values: - 0 indicates that unsigned applications are not allowed to run on the device.
- 1 indicates that unsigned applications are allowed to run on the device.
- Any value other than 1 is treated as 0.
The required role to modify this policy is SECROLE_MANAGER. |
| 4103 | Unsigned Themes Policy SECPOLICY_UNSIGNEDTHEMES | This setting indicates whether theme files can be installed on the device. Theme files are used for processing homescreens. Accepted unsigned theme files are installed with the role mask specified by the policy value. For Windows Mobile powered devices, if a signed theme file does not have a matching root certificate in the Software Publisher Certificate (SPC) store, the file is unsigned. Default value is SECROLE_USER_UNAUTH for Windows Mobile. The following list shows the possible values: - SECROLE_USER_UNAUTH indicates that Unsigned Theme files will be installed under the SECROLE_USER_UNAUTH role.
- 0 is equivalent to having none of the role mask bits set, and means that no unsigned Theme files can be installed.
- A specified role mask indicates accepted unsigned Theme files are installed with the role mask specified.
The required role to modify this policy is SECROLE_MANAGER. |
| 4104 | Trusted Provisioning Server (TPS) Policy SECPOLICY_TPSCARRIERROLE | This setting indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) role. Default value is 1 for Windows Mobile. The following list shows the possible values: - 0 indicates assigning TPS role assignment is disabled.
- 1 indicates TPS role assignment is enabled. Thus, the TPS role can be assigned to mobile operators.
The required role to modify this policy is SECROLE_MANAGER. |
| 4105 | Message Authentication Retry Number Policy SECPOLICY_MAXAUTHENTICATIONRETRY | This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message. Default value is 3 for Windows Mobile. Possible values are 1 through 256. The required role to modify this policy is SECROLE_MANAGER. |
| 4107 | WAP Signed Message Policy SECPOLICY_WAPSIGNEDMSG | This policy has been deprecated. Use SECPOLICY_OMACPNETWPINMSG (4141), SECPOLICY_OMACPUSERPINMSG (4142), and SECPOLICY_OMACPUSERNETWPINMSG (4143) instead. While this policy is still supported, you cannot query for 4107 policy value. | Note: |
|---|
| You cannot use the new security policies (4141, 4142, 4143) and 4107 in the same provisioning document. The old security policy 4107 is deprecated. |
The required role to modify this policy is SECROLE_MANAGER. |
| 4108 | Service Loading (SL) Message Policy SECPOLICY_SL_MESSAGE | This setting indicates whether SL messages are accepted. An SL message downloads new services or provisioning XML to the Windows Mobile powered device. You specify the security roles that can accept SL messages as a role mask. Default value is SECROLE_PPG_TRUSTED for Windows Mobile. The required role to modify this policy is SECROLE_MANAGER. |
| 4109 | Service Indication (SI) Message Policy SECPOLICY_SI_MESSAGE | This setting indicates whether SI messages are accepted. An SI message is sent to Windows Mobile 6 Standard to notify users of new services, service updates, and provisioning services. You specify the security roles that can accept SI messages as a role mask. Default is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED for Windows Mobile. The required role to modify this policy is SECROLE_MANAGER. |
| 4110 | Unauthenticated Message Policy SECPOLICY_UNAUTHMESSAGES | This setting indicates whether to accept unsigned WAP messages processed by the default security provider in the Security Module (Push Router), based on their origin. The message source must have one of the security roles specified by this policy. You specify the security roles that the unsigned messages will be accepted from as a role mask. Default value is SECROLE_USER_UNAUTH for Windows Mobile. The required role to modify this policy is SECROLE_MANAGER. |
| 4111 | OTA Provisioning Policy SECPOLICY_OTAPROVISIONING | This setting specifies which provisioning messages are accepted by the configuration host based on the roles assigned to the messages. This policy limits the provisioning messages that come from the push router. The default is SECROLE_OPERATOR_TPS | SECROLE_PPG_TRUSTED | SECROLE_PPG_AUTH | SECROLE_TRUSTED_PPG | SECROLE_USER_AUTH | SECROLE_OPERATOR for Windows Mobile. A specified role mask indicates system administrative privileges are given to the role mask specified. The required role to modify this policy is SECROLE_MANAGER. |
| 4113 | WSP Push Policy SECPOLICY_WSPNOTIFICATIONS | This setting indicates whether Wireless Session Protocol (WSP) notifications from the WAP stack are routed. Default value is 1 for Windows Mobile. The following list shows the possible values: - 0 indicates that routing of WSP notifications is not allowed.
- 1 indicates Routing of WSP notifications is allowed
The required role to modify this policy is SECROLE_MANAGER. |
| 4119 | Grant Manager Policy SECPOLICY_GRANTMANAGER | This setting grants the system administrative privileges held by SECROLE_MANAGER to other security roles, without modifying metabase role assignments. The configuration manager enforces the Grant Manager policy. Default value is SECROLE_OPERATOR_TPS for Windows Mobile 6 Professional and SECROLE_USER_AUTH for Windows Mobile 6 Classic. Default value is OPERATOS_TPS for Windows Mobile 6 Standard. The following list shows the possible values: - SECROLE_USER_AUTH indicates system administrative privileges are given to the SECROLE_USER_AUTH mask.
- SECROLE_NONE indicates that only the manager is granted the Manager role.
- A specified role mask indicates system administrative privileges are given to the role mask specified.
The required role to modify this policy is SECROLE_MANAGER. |
| 4120 | Grant User Authenticated Policy SECPOLICY_GRANTUSERAUTH | This setting grants privileges held by SECROLE_USER_AUTH to other security roles without modifying metabase role assignments. Default value is SECROLE_USER_AUTH for Windows Mobile. The following list shows the possible values: - SECROLE_USER_AUTH indicates that no additional administrative privileges are given.
- A specified role mask indicates system administrative privileges are given to the role mask specified.
Configuration Manager enforces the Grant User Authenticated policy. The required role to modify this policy is SECROLE_MANAGER. |
| 4121 | Trusted WAP Proxy Policy SECPOLICY_TRUSTED_WAP_PROXY | This setting specifies the level of permissions required to create, modify, or delete a trusted proxy. WAP proxies are configured by means of the PXLOGICAL characteristic element in a WAP provisioning XML document. A WAP proxy is trusted when the TRUST parameter is specified in the PXLOGICAL characteristic element. You specify the security roles that can have Trusted WAP Proxy level permissions as a role mask. Default value is SECROLE_OPERATOR | SECROLE_OPERATOR_TPS | SECROLE_MANAGER for Windows Mobile. The required role to modify this policy is SECROLE_MANAGER. |
| 4122 | Unsigned Prompt Policy SECPOLICY_UNSIGNEDPROMPT | This setting indicates whether a user is prompted to accept or reject unsigned .cab, theme, .dll and .exe files. Default value is 0 for Windows Mobile. If the value is not set in the registry, then the behavior is the same as setting it to 0. The following list shows the possible values: - 0 indicates user will be prompted.
- 1 indicates user will not be prompted.
- Any value other than 1 is treated as 0.
The required role to modify this policy is SECROLE_MANAGER. |
| 4123 | Privileged Applications Policy SECPOLICY_PRIVILEGEDAPPS | This setting specifies which security model is implemented on the device. | Note: |
|---|
| This policy applies only to Windows Mobile 6 Standard. |
Default value is 1 for Windows Mobile 6 Professional. The default value is 0 for Windows Mobile 6 Standard. If the value is not set in the registry, then the behavior is the same as setting it to 0. The following list shows the possible values: - 0 indicates that a two-tier security model is enabled.
- 1 indicates that a one-tier security model is enabled.
- Any value other than 1 is treated as 0.
The required role to modify this policy is SECROLE_MANAGER. For information about how the one-tier and two-tier security models affect applications, see Windows Mobile Powered Device Security Model. |
| 4124 | SL Security Policy SECPOLICY_SLSECUREDOWNLOAD | This setting allows the operator to override https to use http or wsps to use wsp. The following list shows the possible values: - 0 use https or wsps.
- 1 use http or wsp.
Default value is 1. The required role to modify this policy is SECROLE_MANAGER. |
| 4125 | Signed Mail Policy SECPOLICY_USESIGN | This policy has been deprecated. Use SECPOLICY_SMIMESIGNING and SECPOLICY_SMIMESIGNINGALGORITHM instead. |
| 4126 | Encrypted Message Policy SECPOLICY_USEENCRYPT | This setting has been deprecated. Use SECPOLICY_SMIMEENCRYPTION and SECPOLICY_SMIMEENCRYPTIONALGORITHM instead. |
| 4127 | Software Certificates Policy SECPOLICY_SOFTCERTS | This setting determines whether software certificates can be used to sign outgoing messages. You can use this security policy with a tool that you create to allow people to import certificates. The following list shows the possible values: - 0 indicates that software certificates cannot be used to sign messages.
- 1 indicates that software certificates can be used to sign messages.
The Default value is 1. |
| 4129 | DRM Security Policy SECPOLICY_DRM_WAPRIGHTS | This setting specifies which DRM rights messages are accepted by the DRM engine based on the role assigned to the message. Default is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED. |
| 4131 | Password Required Policy SECPOLICY_LASS_PWD_REQUIRED | This policy indicates whether a password must be configured on the device. The following list shows the possible values: - 0 indicates that a password is required.
- A value other than 0 indicates that a password is not required.
The Default value is zero (0). The associated registry key does not exist by default. The Required role to modify this policy is SECROLE_MANAGER or SECROLE_ENTERPRISE.
|
| 4132 | Network PIN Prompt Policy SECPOLICY_WAP_NETWPIN_PROMPT | This setting is used when the over the air (OTA) OMA Client Provisioning message is signed with only a network personal identification number (PIN). This setting indicates whether or not to prompt the user to accept device setting changes. The following list shows the possible values: - 0 indicates that the device prompts the user for confirmation to accept changes to device settings.
- 1 indicates that the user is not prompted.
The Default value is 1. The Required role to modify this policy is SECROLE_MANAGER. |
| 4133 | Desktop Unlock SECPOLICY_LASS_DESKTOP | This policy has been deprecated. Use SECPOLICY_LASS_DESKTOP_QUICK_CONNECT (4146) instead. |
| 4134 | Encrypt Removable Storage Policy SECPOLICY_MENCRYPT_REMOVABLE | This setting specifies if the user is allowed to change mobile encryption settings for the removable storage media. The default setting is 1. - 0 (POLICYVAL_MENCRYPT_REMOVABLE_NO_USER) indicates that the user is not allowed to change the encryption settings.
- 1 (POLICYVAL_MENCRYPT_REMOVABLE_USER_ALLOW) indicates that the user can change the encryption settings.
The required role to modify this policy is SECROLE_MANAGER or SECROLE_ENTERPRISE. |
| 4135 | Bluetooth Policy SECPOLICY_BLUETOOTH | This setting specifies if a Bluetooth enabled device allows other devices to perform a search on the device. - 0 (POLICYVAL_BLUETOOTH_VISIBLE_BLOCKED) blocks other devices from searching.
- 1 (POLICYVAL_BLUETOOTH_VISIBLE_ALLOWED) allows other devices to search.
|
| 4136 | HTML Message Policy SECPOLICY_HTML_MESSAGE | This setting specifies whether message transports will allow HTML messages. - 0 (POLICYVAL_HTML_MESSAGE_DISABLED) indicates that HTML messages are not allowed.
- 1 (POLICYVAL_HTML_MESSAGE_ENABLED) indicates that HTML messages are allowed.
|
| 4137 | SMIME Signing Policy SECPOLICY_SMIMESIGNING | This setting specifies whether the Inbox application will send all messaged signed. - 0 (POLICYVAL_SMIMESIGNING_FORCED) all messages must be signed.
- 1 (POLICYVAL_SMIMESIGNING_OPTIONAL) signing messages is optional.
|
| 4138 | SMIME Encryption Policy SECPOLICY_SMIMEENCRYPTION | This setting specifies whether the Inbox application will send all messages encrypted. - 0 (POLICYVAL_SMIMEENCRYPTION_FORCED) all messages must be encrypted.
- 1 (POLICYVAL_SMIMEENCRYPTION_OPTIONAL) encrypting messages is optional.
|
| 4139 | SMIME Signing Algorithm Policy SECPOLICY_SMIMESIGNINGALGORITHM | This setting specifies which algorithm to use to sign a message. - 0 (POLICYVAL_SMIMESIGNINGALGORITHM_DEFAULT) specifies the default algorithm.
- 1 is an invalid value. Do not use this value.
- 2 (POLICYVAL_SMIMESIGNINGALGORITHM_SHA_1) specifies SHA algorithm.
- 3 (POLICYVAL_SMIMESIGNINGALGORITHM_MD5) specifies MD5 algorithm.
|
| 4140 | SMIME Encryption Algorithm Policy SECPOLICY_SMIMEENCRYPTIONALGORITHM | This setting specifies which algorithm to use to encrypt a message. - 0 (POLICYVAL_SMIMEENCRYPTIONALGORITHM_DEFAULT) specifies the default algorithm.
- 1 is an invalid value. Do not use this value.
- 2 (POLICYVAL_SMIMEENCRYPTIONALGORITHM_3DES) specifies triple DES algorithm.
- 3 (POLICYVAL_SMIMEENCRYPTIONALGORITHM_DES) ) specifies DES algorithm.
- 4 (POLICYVAL_SMIMEENCRYPTIONALGORITHM_RC2_128) ) specifies RC2 128-bit algorithm.
- 5 (POLICYVAL_SMIMEENCRYPTIONALGORITHM_RC2_64) ) specifies RC2 64-bit algorithm.
- 6 ()POLICYVAL_SMIMEENCRYPTIONALGORITHM_RC2_40) specifies RC2 40-bit algorithm.
|
| 4141 | OMA CP Network PIN Policy SECPOLICY_OMACPNETWPINMSG | This setting determines whether the OMA network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted. The default is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS. You can also use the following security roles: - SECROLE_KNOWN_PPG
- SECROLE_TRUSTED_PPG
- SECROLE_ANY_PUSH_SOURCE
You cannot use any other role than those specified above, otherwise the request will fail. The required role to modify this policy is SECROLE_MANAGER. | Note: |
|---|
| You cannot use 4141 and 4107 in the same provisioning document. The old security policy 4107 is deprecated. |
|
| 4142 | OMA CP User PIN Policy SECPOLICY_OMACPUSERPINMSG | This setting determines whether the OMA user PIN or user MAC signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted. The default is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS You can also use the following security roles: - SECROLE_TRUSTED_PPG
- SECROLE_ANY_PUSH_SOURCE
- SECROLE_KNOWN_PPG
You cannot use any other role than those specified above, otherwise the request will fail. The required role to modify this policy is SECROLE_MANAGER. | Note: |
|---|
| You cannot use 4142 and 4107 in the same provisioning document. The old security policy 4107 is deprecated. |
|
| 4143 | OMA CP User Network PIN Policy SECPOLICY_OMACPUSERNETWPINMSG | This setting determines whether the OMA user network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted. The default is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS. You can also use the following security roles: - SECROLE_KNOWN_PPG
- SECROLE_TRUSTED_PPG
- SECROLE_ANY_PUSH_SOURCE
You cannot use any other role than those specified above, otherwise the request will fail. The required role to modify this policy is SECROLE_MANAGER. | Note: |
|---|
| You cannot use 4143 and 4107 in the same provisioning document. The old security policy 4107 is deprecated. |
|
| 4144 | Message Encryption Negotiation Policy SECPOLICY_SMIMEENCRYPTIONNEGOTIATION | This setting specifies whether the Inbox application can negotiate the encryption algorithm in case a recipient's certificate does not support the specified encryption algorithm. - 0 (POLICYVAL_SMIMEENCRYPTIONNEGOTIATION_NONE) does not allow negotiation.
- 1 (POLICYVAL_SMIMEENCRYPTIONNEGOTIATION_ALLOWSTRONG) allows negotiation to a strong algorithm.
- 2 (POLICYVAL_SMIMEENCRYPTIONNEGOTIATION_ALLOWALL) allows negotiation to any algorithm.
|
| 4145 | SharePoint Access Policy SECPOLICY_SHAREPOINTUNCPROTOCOLACCESS | This setting enables or disables Outlook Mobile SharePoint or UNC access through ActiveSync protocol to get documents. - 0 (POLICYVAL_SHAREPOINTUNCPROTOCOLACCESS_DISALLOW) does not allow SharePoint or UNC file access.
- 1 (POLICYVAL_SHAREPOINTUNCPROTOCOLACCESS_ALLOW) allows Outlook Mobile to get documents on a corporate SharePoint site or UNC.
|
| 4146 | Desktop Quick Connect Authentication Policy SECPOLICY_LASS_DESKTOP_QUICK_CONNECT | This setting specifies how device authentication is handled when connecting to the desktop.. - 0 (POLICYVAL_LASS_DESKTOP_QUICK_CONNECT_DISALLOWED) user must authenticate on the device upon connection, if the device lock is active.
- 1 (POLICYVAL_LASS_DESKTOP_QUICK_CONNECT_ALLOWED) if user chooses quick connect, the desktop uniquely identifies the device and allows device to connect without requiring the user to manually unlock their device.
|