Table of contents
TOC
Collapse the table of content
Expand the table of content

Policy CSP

Last Updated: 1/13/2017
Warning

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies.

The Policy configuration service provider has the following sub-categories:

  • Policy/Config/AreaName – Handles the policy configuration request from the server.
  • Policy/Result/AreaName – Provides a read-only path to policies enforced on the device.

The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.

policy csp diagram

./Vendor/MSFT/Policy

The root node for the Policy configuration service provider.

Supported operation is Get.

Policy/Config

Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value.

Supported operation is Get.

Policy/Config/AreaName

The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.

Supported operations are Add, Get, and Delete.

Policy/Config/AreaName/PolicyName

Specifies the name/value pair used in the policy.

The following list shows some tips to help you when configuring policies:

  • Separate substring values by the Unicode  in the XML file.

Note A query from a different caller could provide a different value as each caller could have different values for a named policy.

  • In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction.
  • Supported operations are Add, Get, Delete, and Replace.
  • Value type is string.

Policy/Result

Groups the evaluated policies from all providers that can be configured.

Supported operation is Get.

Policy/Result/AreaName

The area group that can be configured by a single technology independent of the providers.

Supported operation is Get.

Policy/Result/AreaName/PolicyName

Specifies the name/value pair used in the policy.

Supported operation is Get.

Policy Tables

Some policies are only supported in either Windows 10 for desktop or Windows 10 Mobile. In addition, some policies also have a corresponding Group Policy. The following tables provide this information:

Table of Policies for Windows 10

Important To navigate the table horizontally, click on the table and then use the left and right scroll keys on your keyboard or use the scroll bar at the bottom of the table.

Area Name / Policy NameSupported in HomeSupported in ProSupported in EnterpriseSupported in EducationSupported in MobileSupported in Mobile EnterpriseSupported in IoT Core Can be set using Exchange Active Sync (EAS)
AboveLock/AllowActionCenterNotificationscross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

AboveLock/AllowCortanaAboveLockcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

AboveLock/AllowToastscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Accounts/AllowAddingNonMicrosoftAccountsManuallycross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Accounts/AllowMicrosoftAccountConnectioncross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Accounts/DomainNamesForEmailSynccross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

ApplicationManagement/AllowAllTrustedAppscheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

ApplicationManagement/AllowAppStoreAutoUpdatecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

ApplicationManagement/AllowDeveloperUnlockcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

ApplicationManagement/AllowGameDVRcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

ApplicationManagement/AllowSharedUserAppDatacross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

ApplicationManagement/AllowStorecross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

ApplicationManagement/ApplicationRestrictionscross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

ApplicationManagement/DisableStoreOriginatedAppscross mark

Home

cross mark

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

ApplicationManagement/RequirePrivateStoreOnlycross mark

Home

cross mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

ApplicationManagement/RestrictAppDataToSystemVolumecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

ApplicationManagement/RestrictAppToSystemVolumecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Authentication/AllowEAPCertSSOcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Authentication/AllowFastReconnectcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Authentication/AllowSecondaryAuthenticationDevicecheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

check mark*

IoT Core

cross mark

EAS

Bitlocker/EncryptionMethodcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Bluetooth/AllowAdvertisingcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Bluetooth/AllowDiscoverableModecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Bluetooth/AllowPrepairingcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

check mark*

IoT Core

cross mark

EAS

Bluetooth/LocalDeviceNamecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Bluetooth/ServicesAllowedListcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Browser/AllowAutofillcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Browser/AllowBrowsercross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

check mark

EAS

Browser/AllowCookiescross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

Browser/AllowDeveloperToolscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Browser/AllowDoNotTrackcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Browser/AllowExtensionscross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Browser/AllowInPrivatecheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Browser/AllowPasswordManagercross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Browser/AllowPopupscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Browser/AllowSearchSuggestionsinAddressBarcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Browser/AllowSmartScreencross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Browser/EnterpriseModeSiteListcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Browser/FirstRunURLcross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Browser/HomePagescheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Browser/PreventAccessToAboutFlagsInMicrosoftEdgecheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Browser/PreventSmartScreenPromptOverridecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Browser/PreventSmartScreenPromptOverrideForFilescross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Browser/PreventUsingLocalHostIPAddressForWebRTCcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Browser/SendIntranetTraffictoInternetExplorercheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Browser/ShowMessageWhenOpeningSitesInInternetExplorercheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Camera/AllowCameracross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

check mark

EAS

Connectivity/AllowBluetoothcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

check mark

EAS

Connectivity/AllowCellularDatacross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Connectivity/AllowCellularDataRoamingcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

check mark

EAS

Connectivity/AllowNFCcross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Connectivity/AllowUSBConnectioncross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

check mark

EAS

Connectivity/AllowVPNOverCellularcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Connectivity/AllowVPNRoamingOverCellularcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Cryptography/AllowFipsAlgorithmPolicycross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Cryptography/TLSCipherSuitescross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DataProtection/AllowDirectMemoryAccesscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

DataProtection/LegacySelectiveWipeIDcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AllowArchiveScanningcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AllowBehaviorMonitoringcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AllowCloudProtectioncheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AllowEmailScanningcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AllowFullScanOnMappedNetworkDrivescheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AllowFullScanRemovableDriveScanningcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AllowIntrusionPreventionSystemcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AllowIOAVProtectioncheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AllowOnAccessProtectioncheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AllowRealtimeMonitoringcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AllowScanningNetworkFilescheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AllowScriptScanningcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AllowUserUIAccesscheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/AVGCPULoadFactorcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/DaysToRetainCleanedMalwarecheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/ExcludedExtensionscheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/ExcludedPathscheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/ExcludedProcessescheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/PUAProtectioncheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/RealTimeScanDirectioncheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/ScanParametercheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/ScheduleQuickScanTimecheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/ScheduleScanDaycheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/ScheduleScanTimecheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/SignatureUpdateIntervalcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/SubmitSamplesConsentcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Defender/ThreatSeverityDefaultActioncheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeliveryOptimization/DOAbsoluteMaxCacheSizecross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeliveryOptimization/DODownloadModecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeliveryOptimization/DOGroupIDcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeliveryOptimization/DOMaxCacheAgecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeliveryOptimization/DOMaxCacheSizecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeliveryOptimization/DOMaxDownloadBandwidthcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeliveryOptimization/DOMaxUploadBandwidthcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeliveryOptimization/DOMinBackgroundQoscross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeliveryOptimization/DOModifyCacheDrivecross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeliveryOptimization/DOMonthlyUploadDataCapcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeliveryOptimization/DOPercentageMaxDownloadBandwidthcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeviceLock/AllowIdleReturnWithoutPasswordcross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeviceLock/AllowScreenTimeoutWhileLockedUserConfigcross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeviceLock/AllowSimpleDevicePasswordcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

check mark

EAS

DeviceLock/AlphanumericDevicePasswordRequiredcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

check mark

EAS

DeviceLock/DevicePasswordEnabledcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

check mark

EAS

DeviceLock/DevicePasswordExpirationcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

check mark

EAS

DeviceLock/DevicePasswordHistorycheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

check mark

EAS

DeviceLock/EnforceLockScreenAndLogonImagecross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeviceLock/EnforceLockScreenProvidercross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

DeviceLock/MaxDevicePasswordFailedAttemptscheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

check mark

EAS

DeviceLock/MaxInactivityTimeDeviceLockcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

check mark

EAS

DeviceLock/MinDevicePasswordComplexCharacterscheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

check mark

EAS

DeviceLock/ScreenTimeoutWhileLockedcross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

DeviceLock/MinDevicePasswordLengthcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

check mark

EAS

Experience/AllowCopyPastecross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/AllowCortanacross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/AllowDeviceDiscoverycross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/AllowManualMDMUnenrollmentcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/AllowScreenCapturecross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/AllowSIMErrorDialogPromptWhenNoSIMcross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/AllowSyncMySettingscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/AllowTaskSwitchercross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/AllowThirdPartySuggestionsInWindowsSpotlightcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/AllowVoiceRecordingcross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/AllowWindowsConsumerFeaturescross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/AllowWindowsSpotlightcross mark

Home

cross mark

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/AllowWindowsTipscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/ConfigureWindowsSpotlightOnLockScreencross mark

Home

cross mark

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Experience/DoNotShowFeedbackNotificationscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Licensing/AllowWindowsEntitlementReactivationcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Licensing/DisallowKMSClientOnlineAVSValidationcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

LockDown/AllowEdgeSwipecross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Maps/EnableOfflineMapsAutoUpdatecross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Maps/AllowOfflineMapsDownloadOverMeteredConnectioncross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Messaging/AllowMessageSynccross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

NetworkIsolation/EnterpriseCloudResourcescross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

NetworkIsolation/EnterpriseInternalProxyServerscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

NetworkIsolation/EnterpriseIPRangecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

NetworkIsolation/EnterpriseIPRangesAreAuthoritativecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

NetworkIsolation/EnterpriseNetworkDomainNamescross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

NetworkIsolation/EnterpriseProxyServerscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

NetworkIsolation/EnterpriseProxyServersAreAuthoritativecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

NetworkIsolation/NeutralResourcescross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Notifications/DisallowNotificationMirroringcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/AllowAutoAcceptPairingAndPrivacyConsentPromptscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/AllowInputPersonalizationcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/DisableAdvertisingIdcheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessAccountInfocheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessAccountInfo_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessAccountInfo_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessCalendarcheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessCalendar_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessCalendar_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessCalendar_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessCallHistorycheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessCallHistory_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessCallHistory_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessCallHistory_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessCameracheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessCamera_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessCamera_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessCamera_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessContactscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessContacts_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessContacts_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessContacts_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessEmailcheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessEmail_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessEmail_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessEmail_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessLocationcheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessLocation_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessLocation_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessLocation_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessMessagingcheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessMessaging_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessMessaging_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessMessaging_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessMicrophonecheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessMicrophone_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessMicrophone_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessMicrophone_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessMotioncheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessMotion_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessMotion_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessMotion_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessNotificationscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessNotifications_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessNotifications_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessNotifications_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessPhonecheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

cross mark
Privacy/LetAppsAccessPhone_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessPhone_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessPhone_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessRadioscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessRadios_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessRadios_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessRadios_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessTrustedDevicescheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsSyncWithDevicescheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsSyncWithDevices_ForceAllowTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsSyncWithDevices_ForceDenyTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Privacy/LetAppsSyncWithDevices_UserInControlOfTheseAppscheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Search/AllowIndexingEncryptedStoresOrItemscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Search/AllowSearchToUseLocationcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

check mark

EAS

Search/AllowUsingDiacriticscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Search/AlwaysUseAutoLangDetectioncross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Search/DisableBackoffcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Search/DisableRemovableDriveIndexingcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Search/PreventIndexingLowDiskSpaceMBcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Search/PreventRemoteQueriescross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Search/SafeSearchPermissionscross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Security/AllowAddProvisioningPackagecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevicescross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Security/AllowManualRootCertificateInstallationcross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Security/AllowRemoveProvisioningPackagecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Security/AntiTheftModecross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevicescross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Security/RequireDeviceEncryptioncross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

check mark

EAS

Security/RequireProvisioningPackageSignaturecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Security/RequireRetrieveHealthCertificateOnBootcheck mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Settings/AllowAutoPlaycross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Settings/AllowDataSensecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Settings/AllowDateTimecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Settings/AllowEditDeviceNamecross mark

Home

cross mark

Pro

cross mark

Enterprise

cross mark

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Settings/AllowLanguagecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Settings/AllowPowerSleepcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Settings/AllowRegioncross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Settings/AllowSignInOptionscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Settings/AllowVPNcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Settings/AllowWorkplacecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Settings/AllowYourAccountcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Speech/AllowSpeechModelUpdatecheck mark*

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark*

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Start/ForceStartSizecross mark

Home

cross mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Start/StartLayoutcross mark

Home

cross mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

System/AllowBuildPreviewcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

System/AllowEmbeddedModecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

System/AllowExperimentationcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

System/AllowLocationcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

System/AllowStorageCardcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

check mark

EAS

System/AllowTelemetrycross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

System/AllowUserToResetPhonecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

System/TelemetryProxycross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

check mark

EAS

TextInput/AllowIMELoggingcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

TextInput/AllowIMENetworkAccesscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

TextInput/AllowInputPanelcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

TextInput/AllowJapaneseIMESurrogatePairCharacterscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

TextInput/AllowJapaneseIVSCharacterscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

TextInput/AllowJapaneseNonPublishingStandardGlyphcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

TextInput/AllowJapaneseUserDictionarycross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

TextInput/AllowLanguageFeaturesUninstallcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

TextInput/AllowLinguisticDataCollectioncross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

TextInput/ExcludeJapaneseIMEExceptJIS0208cross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDCcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

TextInput/ExcludeJapaneseIMEExceptShiftJIScross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Update/ActiveHoursEndcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Update/ActiveHoursStartcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

check mark*

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Update/AllowAutoUpdatecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Update/AllowMUUpdateServicecross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Update/AllowNonMicrosoftSignedUpdatecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Update/AllowUpdateServicecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Update/BranchReadinessLevelcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

check mark*

Mobile Enterprise

check mark*

IoT Core

cross mark

EAS

Update/DeferFeatureUpdatesPeriodInDayscross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

check mark*

IoT Core

cross mark

EAS

Update/DeferQualityUpdatesPeriodInDayscross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

check mark*

Mobile Enterprise

check mark*

IoT Core

cross mark

EAS

Update/DeferUpdatePeriodcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Update/DeferUpgradePeriodcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Update/ExcludeWUDriversInQualityUpdatecross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

check mark*

IoT Core

cross mark

EAS

Update/PauseDeferralscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Update/PauseFeatureUpdatescross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

check mark*

IoT Core

cross mark

EAS

Update/PauseQualityUpdatescross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

check mark*

Mobile Enterprise

check mark*

IoT Core

cross mark

EAS

Update/RequireDeferUpgradecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Update/RequireUpdateApprovalcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Update/ScheduledInstallDaycross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Update/ScheduledInstallTimecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Update/UpdateServiceUrlcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

Update/UpdateServiceUrlAlternatecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

WiFi/AllowAutoConnectToWiFiSenseHotspotscross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

WiFi/AllowInternetSharingcross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

check mark

EAS

WiFi/AllowManualWiFiConfigurationcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark

Mobile

check mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

WiFi/AllowWiFicross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

check mark

EAS

WiFi/WLANScanModecross mark

Home

check mark

Pro

check mark

Enterprise

check mark

Education

check mark

Mobile

check mark

Mobile Enterprise

check mark

IoT Core

cross mark

EAS

WindowsInkWorkspace/AllowWindowsInkWorkspacecross mark

Home

check mark*check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspacecross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

WirelessDisplay/AllowProjectionToPCcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

WirelessDisplay/RequirePinForPairingcross mark

Home

check mark*

Pro

check mark*

Enterprise

check mark*

Education

cross mark

Mobile

cross mark

Mobile Enterprise

cross mark

IoT Core

cross mark

EAS

Footnote:

  • * - Added in Windows 10, version 1607.

Policies supported by Windows Holographic Enterprise

Policies supported by Microsoft Surface Hub

List of <AreaName>/<PolicyName>

AboveLock/AllowActionCenterNotifications

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Specifies whether to allow Action Center notifications above the device lock screen.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

AboveLock/AllowCortanaAboveLock

Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

AboveLock/AllowToasts

Specifies whether to allow toast notifications above the device lock screen.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Accounts/AllowAddingNonMicrosoftAccountsManually

Specifies whether user is allowed to add non-MSA email accounts.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Note This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the EMAIL2 CSP.

Accounts/AllowMicrosoftAccountConnection

Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Accounts/DomainNamesForEmailSync

Specifies a list of the domains that are allowed to sync email on the device.

The data type is a string.

The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov".

ApplicationManagement/AllowAllTrustedApps

Specifies whether non Windows Store apps are allowed.

The following list shows the supported values:

  • 0 – Explicit deny.
  • 1 – Explicit allow unlock.
  • 65535 (default) – Not configured.

Most restricted value is 0.

ApplicationManagement/AllowAppStoreAutoUpdate

Specifies whether automatic update of apps from Windows Store are allowed.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

ApplicationManagement/AllowDeveloperUnlock

Specifies whether developer unlock is allowed.

The following list shows the supported values:

  • 0 – Explicit deny.
  • 1 – Explicit allow unlock.
  • 65535 (default) – Not configured.

Most restricted value is 0.

ApplicationManagement/AllowGameDVR

Note The policy is only enforced in Windows 10 for desktop.

Specifies whether DVR and broadcasting is allowed.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

ApplicationManagement/AllowSharedUserAppData

Specifies whether multiple users of the same app can share data.

The following list shows the supported values:

  • 0 (default) – Not allowed.
  • 1 – Allowed.

Most restricted value is 0.

ApplicationManagement/AllowStore

Specifies whether app store is allowed at the device.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

ApplicationManagement/ApplicationRestrictions

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the AppLocker CSP instead.

An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see inbox apps. For more information about the XML, see the ApplicationRestrictions XSD.

Note
When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the inbox apps that you need to your list of allowed apps.

Here's additional guidance for the upgrade process:

  • Use Windows 10 product IDs for the apps listed in inbox apps.
  • Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it.
  • In the SyncML, you must use lowercase product ID.
  • Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
  • You cannot disable or enable Contact Support and Windows Feedback apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the inbox apps.

An application that is running may not be immediately terminated.

Value type is chr.

Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.

ApplicationManagement/DisableStoreOriginatedApps

Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded.

The following list shows the supported values:

  • 0 (default) – Enable launch of apps.
  • 1 – Disable launch of apps.

ApplicationManagement/RequirePrivateStoreOnly

Allows disabling of the retail catalog and only enables the Private store.

Important
This node must be accessed using the following paths:

  • ./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly to set the policy.
  • ./User/Vendor/MSFT/Policy/Result/ApplicationManagement/RequirePrivateStoreOnly to get the result.

The following list shows the supported values:

  • 0 (default) – Allow both public and Private store.
  • 1 – Only Private store is enabled.

This is a per user policy.

Most restricted value is 1.

ApplicationManagement/RestrictAppDataToSystemVolume

Specifies whether application data is restricted to the system drive.

The following list shows the supported values:

  • 0 (default) – Not restricted.
  • 1 – Restricted.

Most restricted value is 0.

ApplicationManagement/RestrictAppToSystemVolume

Specifies whether the installation of applications is restricted to the system drive.

The following list shows the supported values:

  • 0 (default) – Not restricted.
  • 1 – Restricted.

Most restricted value is 0.

Authentication/AllowEAPCertSSO

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.

Important
This node must be accessed using the following paths:

  • ./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO to set the policy.
  • ./User/Vendor/MSFT/Policy/Result/Authentication/AllowEAPCertSSO to get the result.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Authentication/AllowFastReconnect

Allows EAP Fast Reconnect from being attempted for EAP Method TLS.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Authentication/AllowSecondaryAuthenticationDevice

Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 – Allowed.

The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).

Bitlocker/EncryptionMethod

Specifies the BitLocker Drive Encryption method and cipher strength.

The following list shows the supported values:

  • 3- AES 128-bit
  • 4- AES 256
  • 6 -XTS 128
  • 7 - XTS 256

Bluetooth/AllowAdvertising

Specifies whether the device can send out Bluetooth advertisements.

The following list shows the supported values:

  • 0 – Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral.
  • 1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral.

If this is not set or it is deleted, the default value of 1 (Allow) is used.

Most restricted value is 0.

Bluetooth/AllowDiscoverableMode

Specifies whether other Bluetooth-enabled devices can discover the device.

The following list shows the supported values:

  • 0 – Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device.
  • 1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it.

If this is not set or it is deleted, the default value of 1 (Allow) is used.

Most restricted value is 0.

Bluetooth/AllowPrepairing

Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default)– Allowed.

Bluetooth/LocalDeviceName

Sets the local Bluetooth device name.

If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified.

If this policy is not set or it is deleted, the default local radio name is used.

Bluetooth/ServicesAllowedList

Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.

The default value is an empty string.

Browser/AllowAutofill

Specifies whether autofill on websites is allowed.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

To verify AllowAutofill is set to 0 (not allowed):

  1. Open Microsoft Edge orMicrosoft Edge for Windows 10 Mobile.
  2. In the upper-right corner of the browser, click .
  3. Click Settings in the drop down list, and select View Advanced Settings.
  4. Verify the setting Save form entries is greyed out.

Browser/AllowBrowser

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the AppLocker CSP instead.

Specifies whether the browser is allowed on the device.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator.

Browser/AllowCookies

Specifies whether cookies are allowed.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

To verify AllowCookies is set to 0 (not allowed):

  1. Open Microsoft Edge orMicrosoft Edge for Windows 10 Mobile.
  2. In the upper-right corner of the browser, click .
  3. Click Settings in the drop down list, and select View Advanced Settings.
  4. Verify the setting Cookies is greyed out.

Browser/AllowDeveloperTools

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Browser/AllowDoNotTrack

Specifies whether Do Not Track headers are allowed.

The following list shows the supported values:

  • 0 (default) – Not allowed.
  • 1 – Allowed.

Most restricted value is 1.

To verify AllowDoNotTrack is set to 0 (not allowed):

  1. Open Microsoft Edge orMicrosoft Edge for Windows 10 Mobile.
  2. In the upper-right corner of the browser, click .
  3. Click Settings in the drop down list, and select View Advanced Settings.
  4. Verify the setting Send Do Not Track requests is greyed out.

Browser/AllowExtensions

Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.

The following list shows the supported values:

  • 0– Not allowed.
  • 1 (default) – Allowed.

Browser/AllowInPrivate

Specifies whether InPrivate browsing is allowed on corporate networks.

The following list shows the supported values:

  • 0– Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Browser/AllowPasswordManager

Specifies whether saving and managing passwords locally on the device is allowed.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

To verify AllowPasswordManager is set to 0 (not allowed):

  1. Open Microsoft Edge orMicrosoft Edge for Windows 10 Mobile.
  2. In the upper-right corner of the browser, click .
  3. Click Settings in the drop down list, and select View Advanced Settings.
  4. Verify the settings Offer to save password and Manage my saved passwords are greyed out.

Browser/AllowPopups

Specifies whether pop-up blocker is allowed or enabled.

The following list shows the supported values:

  • 0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed.
  • 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked.

Most restricted value is 1.

To verify AllowPopups is set to 0 (not allowed):

  1. Open Microsoft Edge.
  2. In the upper-right corner of the browser, click .
  3. Click Settings in the drop down list, and select View Advanced Settings.
  4. Verify the setting Block pop-ups is greyed out.

Browser/AllowSearchSuggestionsinAddressBar

Specifies whether search suggestions are allowed in the address bar.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Browser/AllowSmartScreen

Specifies whether SmartScreen is allowed.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 1.

To verify AllowSmartScreen is set to 0 (not allowed):

  1. Open Microsoft EdgeorMicrosoft Edge for Windows 10 Mobile.
  2. In the upper-right corner of the browser, click .
  3. Click Settings in the drop down list, and select View Advanced Settings.
  4. Verify the setting Help protect me from malicious sites and download with SmartScreen Filter is greyed out.

Browser/EnterpriseModeSiteList

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Allows the user to specify an URL of an enterprise site list.

The following list shows the supported values:

  • Not configured. The device checks for updates from Microsoft Update.
  • Set to a URL location of the enterprise site list.

Browser/FirstRunURL

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time.

The data type is a string.

The default value is an empty string. Otherwise, the string should contain the URL of the web page users will see the first time Microsoft Edge is run. For example, “contoso.com”.

Browser/HomePages

Note This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile.

Specifies your Start pages for MDM-enrolled devices. Users can change this setting. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters < and >. For example, "<support.contoso.com><support.microsoft.com>"

Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users.

Note Turning this setting off, or not configuring it, sets your default Start pages to the web pages specified in App settings.

Browser/PreventAccessToAboutFlagsInMicrosoftEdge

Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.

The following list shows the supported values:

  • 0 (default) – Users can access the about:flags page in Microsoft Edge.
  • 1 – Users can't access the about:flags page in Microsoft Edge.

Browser/PreventSmartScreenPromptOverride

Specifies whether users can override the SmartScreen Filter warnings about potentially malicious websites.

The following list shows the supported values:

  • 0 (default) – Off.
  • 1 – On.

Turning this setting on stops users from ignoring the SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the SmartScreen Filter warnings about potentially malicious websites and to continue to the site.

Browser/PreventSmartScreenPromptOverrideForFiles

Specifies whether users can override the SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the SmartScreen Filter warnings about unverified files and lets them continue the download process.

The following list shows the supported values:

  • 0 (default) – Off.
  • 1 – On.

Browser/PreventUsingLocalHostIPAddressForWebRTC

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an

user’s localhost IP address while making phone calls using WebRTC.

The following list shows the supported values:

  • 0 (default) – The localhost IP address is shown.
  • 1 – The localhost IP address is hidden.

Browser/SendIntranetTraffictoInternetExplorer

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Specifies whether to send intranet traffic over to Internet Explorer.

The following list shows the supported values:

  • 0 (default) – Intranet traffic is sent to Internet Explorer.
  • 1 – Intranet traffic is sent to Microsoft Edge.

Most restricted value is 0.

Browser/ShowMessageWhenOpeningSitesInInternetExplorer

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List.

The following list shows the supported values:

  • 0 (default) – Interstitial pages are not shown.
  • 1 – Interstitial pages are shown.

Most restricted value is 0.

Camera/AllowCamera

Disables or enables the camera.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Connectivity/AllowBluetooth

Allows the user to enable Bluetooth or restrict access.

The following list shows the supported values:

  • 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on.
  • 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.

    Note This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile.

  • 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.

If this is not set or it is deleted, the default value of 2 (Allow) is used.

Most restricted value is 0.

Connectivity/AllowCellularData

Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.

The following list shows the supported values:

  • 0 – Do not allow the cellular data channel. The user can turn it on. This value is not supported in Windows 10, version 1511.
  • 1 (default) – Allow the cellular data channel. The user can turn it off.
  • 2 - Allow the cellular data channel. The user cannot turn it off.

Connectivity/AllowCellularDataRoaming

Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.

The following list shows the supported values:

  • 0 – Do not allow cellular data roaming. The user can turn it on. This value is not supported in Windows 10, version 1511.
  • 1 (default) – Allow cellular data roaming.
  • 2 - Allow cellular data roaming on. The user cannot turn it off.

Most restricted value is 0.

To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.

To validate on mobile devices, do the following:

  1. Go to Cellular & SIM.
  2. Click on the SIM (next to the signal strength icon) and select Properties.
  3. On the Properties page, select Data roaming options.

Connectivity/AllowNFC

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Allows or disallows near field communication (NFC) on the device.

The following list shows the supported values:

  • 0 – Do not allow NFC capabilities.
  • 1 (default) – Allow NFC capabilities.

Most restricted value is 0.

Connectivity/AllowUSBConnection

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.

Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Connectivity/AllowVPNOverCellular

Specifies what type of underlying connections VPN is allowed to use.

The following list shows the supported values:

  • 0 – VPN is not allowed over cellular.
  • 1 (default) – VPN can use any connection, including cellular.

Most restricted value is 0.

Connectivity/AllowVPNRoamingOverCellular

Prevents the device from connecting to VPN when the device roams over cellular networks.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Cryptography/AllowFipsAlgorithmPolicy

Allows or disallows the Federal Information Processing Standard (FIPS) policy.

The following list shows the supported values:

  • 0 (default) – Not allowed.
  • 1– Allowed.

Cryptography/TLSCipherSuites

Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.

DataProtection/AllowDirectMemoryAccess

Allows Direct Memory Access.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

DataProtection/LegacySelectiveWipeID

Important This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.

Setting used by Windows 8.1 Selective Wipe.

Note This policy is not recommended for use in Windows 10.

Defender/AllowArchiveScanning

Note This policy is only enforced in Windows 10 for desktop.

Allows or disallows scanning of archives.

The following list shows the supported values:

  • 0 – Allowed.
  • 1 (default) – Not allowed.

Defender/AllowBehaviorMonitoring

Note This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender Behavior Monitoring functionality.

The following list shows the supported values:

  • 0 – Allowed.
  • 1 (default) – Not allowed.

Defender/AllowCloudProtection

Note This policy is only enforced in Windows 10 for desktop.

To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowEmailScanning

Note This policy is only enforced in Windows 10 for desktop.

Allows or disallows scanning of email.

The following list shows the supported values:

  • 0 (default) – Not allowed.
  • 1 – Allowed.

Defender/AllowFullScanOnMappedNetworkDrives

Note This policy is only enforced in Windows 10 for desktop.

Allows or disallows a full scan of mapped network drives.

The following list shows the supported values:

  • 0 (default) – Not allowed.
  • 1 – Allowed.

Defender/AllowFullScanRemovableDriveScanning

Note This policy is only enforced in Windows 10 for desktop.

Allows or disallows a full scan of removable drives.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowIntrusionPreventionSystem

Note This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender Intrusion Prevention functionality.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowIOAVProtection

Note This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender IOAVP Protection functionality.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowOnAccessProtection

Note This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender On Access Protection functionality.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowRealtimeMonitoring

Note This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender Realtime Monitoring functionality.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowScanningNetworkFiles

Note This policy is only enforced in Windows 10 for desktop.

Allows or disallows a scanning of network files.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowScriptScanning

Note This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender Script Scanning functionality.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowUserUIAccess

Note This policy is only enforced in Windows 10 for desktop.

Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AVGCPULoadFactor

Note This policy is only enforced in Windows 10 for desktop.

Represents the average CPU load factor for the Windows Defender scan (in percent).

Valid values: 0–100

The default value is 50.

Defender/DaysToRetainCleanedMalware

Note This policy is only enforced in Windows 10 for desktop.

Time period (in days) that quarantine items will be stored on the system.

Valid values: 0–90

The default value is 0, which keeps items in quarantine, and does not automatically remove them.

Defender/ExcludedExtensions

Note This policy is only enforced in Windows 10 for desktop.

llows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, "lib|obj".

Defender/ExcludedPaths

Note This policy is only enforced in Windows 10 for desktop.

Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, "C:\Example|C:\Example1".

Defender/ExcludedProcesses

Note This policy is only enforced in Windows 10 for desktop.

Allows an administrator to specify a list of files opened by processes to ignore during a scan.

Important The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path.

Each file type must be separated by a |. For example, "C:\Example.exe|C:\Example1.exe".

Defender/PUAProtection

Note This policy is only enforced in Windows 10 for desktop.

Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.

The following list shows the supported values:

  • 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications.
  • 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats.
  • 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.

Defender/RealTimeScanDirection

Note This policy is only enforced in Windows 10 for desktop.

Controls which sets of files should be monitored.

Note If AllowOnAccessProtection is not allowed, then this configuration can be used to monitor specific files.

The following list shows the supported values:

  • 0 (default) – Monitor all files (bi-directional).
  • 1 – Monitor incoming files.
  • 2 – Monitor outgoing files.

Defender/ScanParameter

Note This policy is only enforced in Windows 10 for desktop.

Selects whether to perform a quick scan or full scan.

The following list shows the supported values:

  • 1 (default) – Quick scan
  • 2 – Full scan

Defender/ScheduleQuickScanTime

Note This policy is only enforced in Windows 10 for desktop.

Selects the time of day that the Windows Defender quick scan should run.

Note The scan type will depends on what scan type is selected in the Defender/ScanParameter setting.

Valid values: 0–1380

For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.

The default value is 120

Defender/ScheduleScanDay

Note This policy is only enforced in Windows 10 for desktop.

Selects the day that the Windows Defender scan should run.

Note The scan type will depends on what scan type is selected in the Defender/ScanParameter setting.

The following list shows the supported values:

  • 0 (default) – Every day
  • 1 – Monday
  • 2 – Tuesday
  • 3 – Wednesday
  • 4 – Thursday
  • 5 – Friday
  • 6 – Saturday
  • 7 – Sunday
  • 8 – No scheduled scan

Defender/ScheduleScanTime

Note This policy is only enforced in Windows 10 for desktop.

Selects the time of day that the Windows Defender scan should run.

Note The scan type will depends on what scan type is selected in the Defender/ScanParameter setting.

Valid values: 0–1380.

For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.

The default value is 120.

Defender/SignatureUpdateInterval

Note This policy is only enforced in Windows 10 for desktop.

Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval.

Valid values: 0–24.

A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day.

The default value is 8.

Defender/SubmitSamplesConsent

Note This policy is only enforced in Windows 10 for desktop.

Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when Defender/AllowCloudProtection is allowed) before sending data.

The following list shows the supported values:

  • 0 – Always prompt.
  • 1 (default) – Send safe samples automatically.
  • 2 – Never send.
  • 3 – Send all samples automatically.

Defender/ThreatSeverityDefaultAction

Note This policy is only enforced in Windows 10 for desktop.

Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.

This value is a list of threat severity level IDs and corresponding actions, separated by a| using the format "threat level=action|threat level=action". For example "1=6|2=2|4=10|5=3

The following list shows the supported values for threat severity levels:

  • 1 – Low severity threats
  • 2 – Moderate severity threats
  • 4 – High severity threats
  • 5 – Severe threats

The following list shows the supported values for possible actions:

  • 1 – Clean
  • 2 – Quarantine
  • 3 – Remove
  • 6 – Allow
  • 8 – User defined
  • 10 – Block

DeliveryOptimization/DOAbsoluteMaxCacheSize

Note This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.

Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.

The default value is 10.

DeliveryOptimization/DODownloadMode

Note This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.

Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.

The following list shows the supported values:

  • 0 –HTTP only, no peering.
  • 1 (default) – HTTP blended with peering behind the same NAT.
  • 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
  • 3 – HTTP blended with Internet peering.
  • 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
  • 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.

DeliveryOptimization/DOGroupID

Note This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.

This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.

Note You must use a GUID as the group ID.

DeliveryOptimization/DOMaxCacheAge

Note This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.

Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.

The default value is 259200 seconds (3 days).

DeliveryOptimization/DOMaxCacheSize

Note This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.

Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100).

The default value is 20.

DeliveryOptimization/DOMaxDownloadBandwidth

Note This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.

Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.

The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.

DeliveryOptimization/DOMaxUploadBandwidth

Note This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.

Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization.

The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).

DeliveryOptimization/DOMinBackgroundQos

Note This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.

Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.

The default value is 500.

DeliveryOptimization/DOModifyCacheDrive

Note This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.

Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.

By default, %SystemDrive% is used to store the cache.

DeliveryOptimization/DOMonthlyUploadDataCap

Note This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.

Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.

The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.

The default value is 20.

DeliveryOptimization/DOPercentageMaxDownloadBandwidth

Note This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.

Added in Windows 10, version 1607. Specifies the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.

The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.

DeviceLock/AllowIdleReturnWithoutPassword

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Specifies whether the user must input a PIN or password when the device resumes from an idle state.

Note This policy must be wrapped in an Atomic command.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

DeviceLock/AllowScreenTimeoutWhileLockedUserConfig

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.

Note This policy must be wrapped in an Atomic command.

The following list shows the supported values:

  • 0 (default) – Not allowed.
  • 1 – Allowed.

Important If this policy is set to 1 (Allowed), the value set by DeviceLock/ScreenTimeOutWhileLocked is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use DeviceLock/ScreenTimeOutWhileLocked to set the screen timeout period.

DeviceLock/AllowSimpleDevicePassword

Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.

Note This policy must be wrapped in an Atomic command.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

For additional information about this policy, see Exchange ActiveSync Policy Engine Overview.

DeviceLock/AlphanumericDevicePasswordRequired

Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0 (required).

Note
This policy must be wrapped in an Atomic command.

Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education).

The following list shows the supported values:

  • 0 – Alphanumeric PIN or password required.
  • 1 – Numeric PIN or password required.
  • 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password.

Note
If AlphanumericDevicePasswordRequired is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.

If AlphanumericDevicePasswordRequired is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.

DeviceLock/DevicePasswordEnabled

Specifies whether device lock is enabled.

Note
This policy must be wrapped in an Atomic command.

Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.

The following list shows the supported values:

  • 0 (default) – Enabled
  • 1 – Disabled

Important
The DevicePasswordEnabled setting must be set to 0 (device password is enabled) for the following policy settings to take effect:

  • AllowSimpleDevicePassword
  • MinDevicePasswordLength
  • AlphanumericDevicePasswordRequired
  • MaxDevicePasswordFailedAttempts
  • MaxInactivityTimeDeviceLock
  • MinDevicePasswordComplexCharacters  

Important
If DevicePasswordEnabled is set to 0 (device password is enabled), then the following policies are set:

  • MinDevicePasswordLength is set to 4
  • MinDevicePasswordComplexCharacters is set to 1

If DevicePasswordEnabled is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0:

  • MinDevicePasswordLength
  • MinDevicePasswordComplexCharacters

DeviceLock/DevicePasswordExpiration

Specifies when the password expires (in days).

Note This policy must be wrapped in an Atomic command.

The following list shows the supported values:

  • An integer X where 0 <= X <= 730.
  • 0 (default) - Passwords do not expire.

If all policy values = 0 then 0; otherwise, Min policy value is the most secure value.

For additional information about this policy, see Exchange ActiveSync Policy Engine Overview.

DeviceLock/DevicePasswordHistory

Specifies how many passwords can be stored in the history that can’t be used.

Note This policy must be wrapped in an Atomic command.

The following list shows the supported values:

  • An integer X where 0 <= X <= 50.
  • 0 (default)

The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.

Max policy value is the most restricted.

For additional information about this policy, see Exchange ActiveSync Policy Engine Overview.

DeviceLock/EnforceLockScreenAndLogonImage

Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.

Note This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Home.

Value type is a string, which is the full image filepath and filename.

DeviceLock/EnforceLockScreenProvider

Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.

Note This policy is only enforced in Windows 10 for mobile devices.

Value type is a string, which is the AppID.

DeviceLock/MaxDevicePasswordFailedAttempts
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.

Note This policy must be wrapped in an Atomic command.

This policy has different behaviors on the mobile device and desktop.

  • On a mobile device, when the user reaches the value set by this policy, then the device is wiped.
  • On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.

    Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.

The following list shows the supported values:

  • An integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices.
  • 0 (default) - The device is never wiped after an incorrect PIN or password is entered.

Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.

For additional information about this policy, see Exchange ActiveSync Policy Engine Overview.

DeviceLock/MaxInactivityTimeDeviceLock

Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.

Note This policy must be wrapped in an Atomic command.

The following list shows the supported values:

  • An integer X where 0 <= X <= 999.
  • 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."

For additional information about this policy, see Exchange ActiveSync Policy Engine Overview.

DeviceLock/MinDevicePasswordComplexCharacters

The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.

Note
This policy must be wrapped in an Atomic command.

Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.

PIN enforces the following behavior for desktop and mobile devices:

  • 1 - Digits only
  • 2 - Digits and lowercase letters are required
  • 3 - Digits, lowercase letters, and uppercase letters are required
  • 4 - Digits, lowercase letters, uppercase letters, and special characters are required

The default value is 1. The following list shows the supported values and actual enforced values:

Account TypeSupported ValuesActual Enforced Values

Mobile

1,2,3,4

Same as the value set

Desktop Local Accounts

1,2,3

3

Desktop Microsoft Accounts

1,2

Desktop Domain Accounts

Not supported

Not supported

Enforced values for Local and Microsoft Accounts:

  • Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
  • Passwords for local accounts must meet the following minimum requirements:

    • Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
    • Be at least six characters in length
    • Contain characters from three of the following four categories:

      • English uppercase characters (A through Z)
      • English lowercase characters (a through z)
      • Base 10 digits (0 through 9)
      • Special characters (!, $, #, %, etc.)

The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.

For additional information about this policy, see Exchange ActiveSync Policy Engine Overview and KB article.

DeviceLock/MinDevicePasswordLength

Specifies the minimum number or characters required in the PIN or password.

Note
This policy must be wrapped in an Atomic command.

Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.

The following list shows the supported values:

  • An integer X where 4 <= X <= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6.
  • Not enforced.
  • The default value is 4 for mobile devices and desktop devices.

Max policy value is the most restricted.

For additional information about this policy, see Exchange ActiveSync Policy Engine Overview and KB article.

DeviceLock/ScreenTimeoutWhileLocked

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices.

Minimum supported value is 10.

Maximum supported value is 1800.

The default value is 10.

Experience/AllowCopyPaste

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Specifies whether copy and paste is allowed.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Experience/AllowCortana

Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Experience/AllowDeviceDiscovery

Allows users to turn on/off device discovery UX.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on.

Most restricted value is 0.

Experience/AllowManualMDMUnenrollment

Specifies whether to allow the user to delete the workplace account using the workplace control panel.

Note The MDM server can always remotely delete the account.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Experience/AllowScreenCapture

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Specifies whether screen capture is allowed.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Experience/AllowSIMErrorDialogPromptWhenNoSIM

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Specifies whether to display dialog prompt when no SIM card is detected.

The following list shows the supported values:

  • 0 – SIM card dialog prompt is not displayed.
  • 1 (default) – SIM card dialog prompt is displayed.

Experience/AllowSyncMySettings

Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see About sync setting on Windows 10 devices.

The following list shows the supported values:

  • 0 – Sync settings is not allowed.
  • 1 (default) – Sync settings allowed.

Experience/AllowTaskSwitcher

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Allows or disallows task switching on the device.

The following list shows the supported values:

  • 0 – Task switching not allowed.
  • 1 (default) – Task switching allowed.

Experience/AllowThirdPartySuggestionsInWindowsSpotlight

Note This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.

Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.

The following list shows the supported values:

  • 0 – Third-party suggestions not allowed.
  • 1 (default) – Third-party suggestions allowed.

Experience/AllowVoiceRecording

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Specifies whether voice recording is allowed for apps.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Experience/AllowWindowsConsumerFeatures

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.

Important
This node must be accessed using the following paths:

  • ./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures to set the policy.
  • ./User/Vendor/MSFT/Policy/Result/Experience/AllowWindowsConsumerFeatures to get the result.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 – Allowed.

Most restricted value is 0.

Experience/AllowWindowsSpotlight

Note This policy is only available for Windows 10 Enterprise and Windows 10 Education.

Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Experience/AllowWindowsTips
Enables or disables Windows Tips / soft landing.

The following list shows the supported values:

  • 0 – Disabled.
  • 1 (default) – Enabled.

Experience/ConfigureWindowsSpotlightOnLockScreen

Note This policy is only available for Windows 10 Enterprise and Windows 10 Education.

Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.

The following list shows the supported values:

  • 0 – None.
  • 1 (default) – Windows spotlight enabled.
  • 2 – placeholder only for future extension. Using this value has no effect.

Experience/DoNotShowFeedbackNotifications

Prevents devices from showing feedback questions from Microsoft.

If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.

If you disable or do not configure this policy setting, users can control how often they receive feedback questions.

The following list shows the supported values:

  • 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally.
  • 1 – Feedback notifications are disabled.

Licensing/AllowWindowsEntitlementReactivation

Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.

The following list shows the supported values:

  • 0 – Disable Windows license reactivation on managed devices.
  • 1 (default) – Enable Windows license reactivation on managed devices.

Licensing/DisallowKMSClientOnlineAVSValidation

Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.

The following list shows the supported values:

  • 0 (default) – Disabled.
  • 1 – Enabled.

LockDown/AllowEdgeSwipe

Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.

The following list shows the supported values:

  • 0 - disallow edge swipe.
  • 1 (default, not configured) - allow edge swipe.

The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.

Maps/EnableOfflineMapsAutoUpdate

Added in Windows 10, version 1607. Disables the automatic download and update of map data.

The following list shows the supported values:

  • 65535 (default) – Not configured. User's choice.
  • 0 – Disabled. Force off auto-update.
  • 1 – Enabled. Force on auto-update.

After the policy is applied, you can verify the settings in the user interface in System > Offline Maps.

Maps/AllowOfflineMapsDownloadOverMeteredConnection

Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.

The following list shows the supported values:

  • 65535 (default) – Not configured. User's choice.
  • 0 – Disabled. Force disable auto-update over metered connection.
  • 1 – Enabled. Force enable auto-update over metered connection.

After the policy is applied, you can verify the settings in the user interface in System > Offline Maps.

Messaging/AllowMessageSync

Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.

The following list shows the supported values:

  • 0 - message sync is not allowed and cannot be changed by the user.
  • 1 - message sync is allowed. The user can change this setting.

NetworkIsolation/EnterpriseCloudResources

Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the EnterpriseInternalProxyServers policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, <cloudresource>|<cloudresource>|<cloudresource>,<proxy>|<cloudresource>|<cloudresource>,<proxy>|.

NetworkIsolation/EnterpriseInternalProxyServers

This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the EnterpriseCloudResources policy to force traffic to the matched cloud resources through these proxies.

NetworkIsolation/EnterpriseIPRange

Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example:

10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255,
192.168.0.0-192.168.255.255,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff,
2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff,
2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

NetworkIsolation/EnterpriseIPRangesAreAuthoritative

Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.

NetworkIsolation/EnterpriseNetworkDomainNames

This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".

Note The client requires domain name to be canonical, otherwise the setting will be rejected by the client.

Here are the steps to create canonical domain names:

  1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com.
  2. Call IdnToAscii with IDN_USE_STD3_ASCII_RULES as the flags.
  3. Call IdnToUnicode with no flags set (dwFlags = 0).

NetworkIsolation/EnterpriseProxyServers

This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".

NetworkIsolation/EnterpriseProxyServersAreAuthoritative

Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.

NetworkIsolation/NeutralResources

List of domain names that can used for work or personal resource.

Notifications/DisallowNotificationMirroring

Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.

For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.

No reboot or service restart is required for this policy to take effect.

The following list shows the supported values:

  • 0 (default)– disable notification mirroring.
  • 1 – enable notification mirroring.

Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts

Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.

The following list shows the supported values:

  • 0 (default)– Not allowed.
  • 1 – Allowed.

Most restricted value is 0.

Privacy/AllowInputPersonalization

Updated in the next major update of Windows 10. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Privacy/DisableAdvertisingId

Added in Windows 10, version 1607. Enables or disables the Advertising ID.

The following list shows the supported values:

  • 0 – Disabled.
  • 1 – Enabled.
  • 65535 (default)- Not configured.

Most restricted value is 0.

Privacy/LetAppsAccessAccountInfo

Added in Windows 10, version 1607. Specifies whether Windows apps can access account information.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.

Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.

Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.

Privacy/LetAppsAccessCalendar

Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessCalendar_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.

Privacy/LetAppsAccessCalendar_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.

Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.

Privacy/LetAppsAccessCallHistory

Added in Windows 10, version 1607. Specifies whether Windows apps can access call history.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.

Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.

Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.

Privacy/LetAppsAccessCamera

Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessCamera_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.

Privacy/LetAppsAccessCamera_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.

Privacy/LetAppsAccessCamera_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.

Privacy/LetAppsAccessContacts

Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessContacts_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.

Privacy/LetAppsAccessContacts_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.

Privacy/LetAppsAccessContacts_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.

Privacy/LetAppsAccessEmail

Added in Windows 10, version 1607. Specifies whether Windows apps can access email.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessEmail_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.

Privacy/LetAppsAccessEmail_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.

Privacy/LetAppsAccessEmail_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.

Privacy/LetAppsAccessLocation

Added in Windows 10, version 1607. Specifies whether Windows apps can access location.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessLocation_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.

Privacy/LetAppsAccessLocation_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.

Privacy/LetAppsAccessLocation_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.

Privacy/LetAppsAccessMessaging

Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS).

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessMessaging_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.

Privacy/LetAppsAccessMessaging_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.

Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.

Privacy/LetAppsAccessMicrophone

Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.

Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.

Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.

Privacy/LetAppsAccessMotion

Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessMotion_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.

Privacy/LetAppsAccessMotion_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.

Privacy/LetAppsAccessMotion_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.

Privacy/LetAppsAccessNotifications

Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessNotifications_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.

Privacy/LetAppsAccessNotifications_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.

Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.

Privacy/LetAppsAccessPhone

Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessPhone_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.

Privacy/LetAppsAccessPhone_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.

Privacy/LetAppsAccessPhone_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.

Privacy/LetAppsAccessRadios

Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessRadios_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.

Privacy/LetAppsAccessRadios_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.

Privacy/LetAppsAccessRadios_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.

Privacy/LetAppsAccessTrustedDevices

Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.

Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.

Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.

Privacy/LetAppsSyncWithDevices

Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices.

The following list shows the supported values:

  • 0 – User in control.
  • 1 – Force allow.
  • 2 - Force deny.

Most restricted value is 2.

Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.

Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.

Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.

Search/AllowIndexingEncryptedStoresOrItems

Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.

When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified.

When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Search/AllowSearchToUseLocation

Specifies whether search can leverage location information.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Search/AllowUsingDiacritics

Allows the use of diacritics.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Search/AlwaysUseAutoLangDetection

Specifies whether to always use automatic language detection when indexing content and properties.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Search/DisableBackoff

If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.

The following list shows the supported values:

  • 0 (default) – Disable.
  • 1 – Enable.

Search/DisableRemovableDriveIndexing

This policy setting configures whether or not locations on removable drives can be added to libraries.

If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed.

If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.

The following list shows the supported values:

  • 0 (default) – Disable.
  • 1 – Enable.

Search/PreventIndexingLowDiskSpaceMB

Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB.

Enable this policy if computers in your environment have extremely limited hard drive space.

When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.

The following list shows the supported values:

  • 0 – Disable.
  • 1 (default) – Enable.

Search/PreventRemoteQueries

If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..

The following list shows the supported values:

  • 0 – Disable.
  • 1 (default) – Enable.

Search/SafeSearchPermissions

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Specifies what level of safe search (filtering adult content) is required.

The following list shows the supported values:

  • 0 – Strict, highest filtering against adult content.
  • 1 (default) – Moderate filtering against adult content (valid search results will not be filtered).

Most restricted value is 0.

Security/AllowAddProvisioningPackage

Specifies whether to allow the runtime configuration agent to install provisioning packages.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices

Note This policy has been deprecated in Windows 10, version 1607


Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Security/AllowManualRootCertificateInstallation

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Specifies whether the user is allowed to manually install root and intermediate CA certificates.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

Security/AllowRemoveProvisioningPackage

Specifies whether to allow the runtime configuration agent to remove provisioning packages.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Security/AntiTheftMode

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Allows or disallow Anti Theft Mode on the device.

The following list shows the supported values:

  • 0 – Don't allow Anti Theft Mode.
  • 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).

Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Added in Windows 10, version 1607 to replace the deprecated policy Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices.

Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.

The following list shows the supported values:

  • 0 (default) – Encryption enabled.
  • 1 – Encryption disabled.

Security/RequireDeviceEncryption

Note This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the DeviceStatus CSP node DeviceStatus/Compliance/EncryptionCompliance.

Allows enterprise to turn on internal storage encryption.

Important Bitlocker must be enabled on the device before using this policy.

The following list shows the supported values:

  • 0 (default) – Encryption is not required.
  • 1 – Encryption is required.

Most restricted value is 1.

Important If encryption has been enabled, it cannot be turned off using this policy.

Security/RequireProvisioningPackageSignature

Specifies whether provisioning packages must have a certificate signed by a device trusted authority.

The following list shows the supported values:

  • 0 (default) – Not required.
  • 1 – Required.

Security/RequireRetrieveHealthCertificateOnBoot

Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.

The following list shows the supported values:

  • 0 (default) – Not required.
  • 1 – Required.

Setting this policy to 1 (Required):

  • Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0.
  • Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.

Note We recommend that this policy is set to Required after MDM enrollment.

Most restricted value is 1.

Settings/AllowAutoPlay

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Allows the user to change Auto Play settings.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Note Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected.

Settings/AllowDataSense

Allows the user to change Data Sense settings.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Settings/AllowDateTime

Allows the user to change date and time settings.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Settings/AllowEditDeviceName

Allows editing of the device name.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Settings/AllowLanguage

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Allows the user to change the language settings.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Settings/AllowPowerSleep

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Allows the user to change power and sleep settings.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Settings/AllowRegion

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Allows the user to change the region settings.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Settings/AllowSignInOptions

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Allows the user to change sign-in options.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Settings/AllowVPN

Allows the user to change VPN settings.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Settings/AllowWorkplace

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Allows user to change workplace settings.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Settings/AllowYourAccount

Allows user to change account settings.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Speech/AllowSpeechModelUpdate

Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Start/ForceStartSize

Note This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Forces the start screen size.

The following list shows the supported values:

  • 0 (default) – Do not force size of Start.
  • 1 – Force non-fullscreen size of Start.
  • 2 - Force a fullscreen size of Start.

If there is policy configuration conflict, the latest configuration request is applied to the device.

Start/StartLayout

Important This node is set on a per-user basis and must be accessed using the following paths:

  • ./User/Vendor/MSFT/Policy/Config/Start/StartLayout to configure the policy.
  • ./User/Vendor/MSFT/Policy/Result/Start/StartLayout to query the current value of the policy.

Allows you to override the default Start layout and prevents the user from changing it.

This policy is described in Start/StartLayout Examples later in this topic.

System/AllowBuildPreview

Note This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise.

This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.

If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.

The following list shows the supported values:

  • 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software.
  • 1 – Allowed. Users can make their devices available for downloading and installing preview software.
  • 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software.

System/AllowEmbeddedMode

Specifies whether set general purpose device to be in embedded mode.

The following list shows the supported values:

  • 0 (default) – Not allowed.
  • 1 – Allowed.

Most restricted value is 0.

System/AllowExperimentation

Note This policy is not supported in Windows 10, version 1607.

This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.

The following list shows the supported values:

  • 0 – Disabled.
  • 1 (default) – Permits Microsoft to configure device settings only.
  • 2 – Allows Microsoft to conduct full experimentations.

Most restricted value is 0.

System/AllowLocation

Specifies whether to allow app access to the Location service.

The following list shows the supported values:

  • 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search.
  • 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off.
  • 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed.

Most restricted value is 0.

While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.

When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting.

For example, an app's original Location setting is Off. The administrator then sets the AllowLocation policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the AllowLocation policy back to 1 (User Control), the app will revert to using its original setting of Off.

System/AllowStorageCard

Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.

The following list shows the supported values:

  • 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card.
  • 1 (default) – Allow a storage card.

Most restricted value is 0.

System/AllowTelemetry

Allow the device to send diagnostic and usage telemetry data, such as Watson.

The following tables describe the supported values:

Windows 8.1 Values

0 – Not allowed.

1 – Allowed, except for Secondary Data Requests.

2 (default) – Allowed.

Windows 10 Values

0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.

Note This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.

1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.

2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.

3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.

Important If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1.

Most restricted value is 0.

System/AllowUserToResetPhone

Note This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed to reset to factory default settings.

Most restricted value is 0.

System/TelemetryProxy

Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is <server>:<port>. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.

If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.

TextInput/AllowIMELogging

Note The policy is only enforced in Windows 10 for desktop.

Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

TextInput/AllowIMENetworkAccess

Note The policy is only enforced in Windows 10 for desktop.

Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

TextInput/AllowInputPanel

Note The policy is only enforced in Windows 10 for desktop.

Allows the IT admin to disable the touch/handwriting keyboard on Windows.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

TextInput/AllowJapaneseIMESurrogatePairCharacters

Note The policy is only enforced in Windows 10 for desktop.

Allows the Japanese IME surrogate pair characters.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

TextInput/AllowJapaneseIVSCharacters

Note The policy is only enforced in Windows 10 for desktop.

Allows Japanese Ideographic Variation Sequence (IVS) characters.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

TextInput/AllowJapaneseNonPublishingStandardGlyph

Note The policy is only enforced in Windows 10 for desktop.

Allows the Japanese non-publishing standard glyph.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

TextInput/AllowJapaneseUserDictionary

Note The policy is only enforced in Windows 10 for desktop.

Allows the Japanese user dictionary.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

TextInput/AllowKoreanExtendedHanja

This policy has been deprecated.

TextInput/AllowLanguageFeaturesUninstall

Note The policy is only enforced in Windows 10 for desktop.

Allows the uninstall of language features, such as spell checkers, on a device.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

TextInput/AllowLinguisticDataCollection

Allows sending to Microsoft user text input data samples (anonymized) are collected for future language model improvements.

Important Text input entered using specific input scope fields such as email address, login name, passwords, and phone numbers are excluded from any sampling.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

TextInput/ExcludeJapaneseIMEExceptJIS0208

Note The policy is only enforced in Windows 10 for desktop.

Allows the users to restrict character code range of conversion by setting the character filter.

The following list shows the supported values:

  • 0 (default) – No characters are filtered.
  • 1 – All characters except JIS0208 are filtered.

TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC

Note The policy is only enforced in Windows 10 for desktop.

Allows the users to restrict character code range of conversion by setting the character filter.

The following list shows the supported values:

  • 0 (default) – No characters are filtered.
  • 1 – All characters except JIS0208 and EUDC are filtered.

TextInput/ExcludeJapaneseIMEExceptShiftJIS

Note The policy is only enforced in Windows 10 for desktop.

Allows the users to restrict character code range of conversion by setting the character filter.

The following list shows the supported values:

  • 0 (default) – No characters are filtered.
  • 1 – All characters except ShiftJIS are filtered.

Update/ActiveHoursEnd

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.

Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.

The default is 17 (5 PM).

Update/ActiveHoursStart

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from start time.

Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.

The default value is 8 (8 AM).

Update/AllowAutoUpdate

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Enables the IT admin to manage automatic update behavior to scan, download, and install updates.

Supported operations are Get and Replace.

The following list shows the supported values:

  • 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
  • 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
  • 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
  • 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
  • 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
  • 5 – Turn off automatic updates.

    Important This option should be used only for systems under regulatory compliance, as you will not get security updates as well.

If the policy is not configured, end-users get the default behavior (Auto install and restart).

Update/AllowMUUpdateService

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.

The following list shows the supported values:

  • 0 – Not allowed or not configured.
  • 1 – Allowed. Accepts updates received through Microsoft Update.

Update/AllowNonMicrosoftSignedUpdate

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.

Supported operations are Get and Replace.

The following list shows the supported values:

  • 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
  • 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.

This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.

Update/AllowUpdateService

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.

Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store

Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.

The following list shows the supported values:

  • 0 – Update service is not allowed.
  • 1 (default) – Update service is allowed.

Note This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.

Update/BranchReadinessLevel

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.

The following list shows the supported values:

  • 16 (default) – User gets all applicable upgrades from Current Branch (CB).
  • 32 – User gets upgrades from Current Branch for Business (CBB).

Update/DeferFeatureUpdatesPeriodInDays

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.

Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.

Supported values are 0-180.

Update/DeferQualityUpdatesPeriodInDays

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.

Supported values are 0-30.

Update/DeferUpdatePeriod

Note
This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.

Allows IT Admins to specify update delays for up to 4 weeks.

Supported values are 0-4, which refers to the number of weeks to defer updates.

In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:

  • Update/RequireDeferUpgrade must be set to 1
  • System/AllowTelemetry must be set to 1 or higher

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.

If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.

Update categoryMaximum deferralDeferral incrementUpdate type/notes

OS upgrade

8 months

1 month

Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5

Update

1 month

1 week

Note If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
  • Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
  • Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
  • Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
  • Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
  • Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
  • Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
  • Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
  • Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0

Other/cannot defer

No deferral

No deferral

Any update category not specifically enumerated above falls into this category.

Definition Update - E0789628-CE08-4437-BE74-2495B842F43B

Update/DeferUpgradePeriod

Note
This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.

Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.

Allows IT Admins to specify additional upgrade delays for up to 8 months.

Supported values are 0-8, which refers to the number of months to defer upgrades.

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.

If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.

Update/ExcludeWUDriversInQualityUpdate

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.

Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.

The following list shows the supported values:

  • 0 (default) – Allow Windows Update drivers.
  • 1 – Exclude Windows Update drivers.

Update/PauseDeferrals

Note
This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use PauseDeferrals for Windows 10, version 1511 devices.

Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.

The following list shows the supported values:

  • 0 (default) – Deferrals are not paused.
  • 1 – Deferrals are paused.

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.

If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.

Update/PauseFeatureUpdates

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.

Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.

The following list shows the supported values:

  • 0 (default) – Feature Updates are not paused.
  • 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.

Update/PauseQualityUpdates

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.

The following list shows the supported values:

  • 0 (default) – Quality Updates are not paused.
  • 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.

Update/RequireDeferUpgrade

Note
This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.

Allows the IT admin to set a device to CBB train.

The following list shows the supported values:

  • 0 (default) – User gets upgrades from Current Branch.
  • 1 – User gets upgrades from Current Branch for Business.

Update/RequireUpdateApproval

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise


Note If you previously used the Update/PhoneUpdateRestrictions policy in previous versions of Windows, it has been deprecated. Please use this policy instead.

Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.

Supported operations are Get and Replace.

The following list shows the supported values:

  • 0 – Not configured. The device installs all applicable updates.
  • 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.

Update/ScheduledInstallDay

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Enables the IT admin to schedule the day of the update installation.

The data type is a string.

Supported operations are Add, Delete, Get, and Replace.

The following list shows the supported values:

  • 0 (default) – Every day
  • 1 – Sunday
  • 2 – Monday
  • 3 – Tuesday
  • 4 – Wednesday
  • 5 – Thursday
  • 6 – Friday
  • 7 – Saturday

Update/ScheduledInstallTime

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Enables the IT admin to schedule the time of the update installation.

The data type is a string.

Supported operations are Add, Delete, Get, and Replace.

Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.

The default value is 3.

Update/UpdateServiceUrl

Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.

Supported operations are Get and Replace.

The following list shows the supported values:

  • Not configured. The device checks for updates from Microsoft Update.
  • Set to a URL, such as http://abcd-srv:8530. The device checks for updates from the WSUS server at the specified URL.

Example

        <Replace>
            <CmdID>$CmdID$</CmdID>
            <Item>
                <Meta>
                    <Format>chr</Format>
                    <Type>text/plain</Type>
                </Meta>
                <Target>
                    <LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>
                </Target>
                <Data>http://abcd-srv:8530</Data>
            </Item>
        </Replace>

Update/UpdateServiceUrlAlternate

Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.

This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.

To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.

Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.

Note

If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.

WiFi/AllowAutoConnectToWiFiSenseHotspots

Allow or disallow the device to automatically connect to Wi-Fi hotspots.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Most restricted value is 0.

WiFi/AllowInternetSharing

Allow or disallow internet sharing.

The following list shows the supported values:

  • 0 – Do not allow the use of Internet Sharing.
  • 1 (default) – Allow the use of Internet Sharing.

Most restricted value is 0.

WiFi/AllowManualWiFiConfiguration

Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.

The following list shows the supported values:

  • 0 – No Wi-Fi connection outside of MDM provisioned network is allowed.
  • 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed.

Most restricted value is 0.

Note Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted.

WiFi/AllowWiFi

Allow or disallow Wi-Fi connection.

The following list shows the supported values:

  • 0 – Wi-Fi connection is not allowed.
  • 1 (default) – Wi-Fi connection is allowed.

Most restricted value is 0.

WiFi/AllowWiFiHotSpotReporting

This policy has been deprecated.

WiFi/WLANScanMode

Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.

Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency.

The default value is 0.

Supported operations are Add, Delete, Get, and Replace.

WindowsInkWorkspace/AllowWindowsInkWorkspace

Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.

Value type is int. The following list shows the supported values:

  • 0 - access to ink workspace is disabled. The feature is turned off.
  • 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
  • 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.

WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace

Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.

Value type is bool. The following list shows the supported values:

  • 0 - app suggestions are not allowed.
  • 1 (default) -allow app suggestions.

WirelessDisplay/AllowProjectionToPC

Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.

If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in Settings > System > Projecting to this PC.

Value type is integer. Valid value:

  • 0 - projection to PC is not allowed. Always off and the user cannot enable it.
  • 1 (default) - projection to PC is allowed. Enabled only above the lock screen.

WirelessDisplay/RequirePinForPairing

Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.

If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in Settings > System > Projecting to this PC.

Value type is integer. Valid value:

  • 0 (default) - PIN is not required.
  • 1 - PIN is required.

Examples

Set the minimum password length to 4 characters.

<SyncML xmlns="SYNCML:SYNCML1.2">
    <SyncBody>
        <Replace>
            <CmdID>$CmdID$</CmdID>
            <Item>
                <Target>
                    <LocURI>./Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">int</Format>
                </Meta>
                <Data>4</Data>
            </Item>
        </Replace>
        <Final/>
    </SyncBody>
</SyncML>

Do not allow NFC.

<SyncML xmlns="SYNCML:SYNCML1.2">
    <SyncBody>
        <Replace>
            <CmdID>$CmdID$</CmdID>
            <Item>
                <Target>
                    <LocURI>./Vendor/MSFT/Policy/Config/Connectivity/AllowNFC</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">int</Format>
                </Meta>
                <Data>0</Data>
            </Item>
        </Replace>
        <Final/>
    </SyncBody>
</SyncML>

Start/StartLayout Examples

Generating a layout

The easiest way to generate a layout is to set the Start layout on a PC, and then run the PowerShell cmdlet Export-StartLayout.

> Export-StartLayout -path c:\users\<you>\desktop\startlayout.xml

Sample layout generated using the cmdlet

<LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
  <DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
        <start:Group Name="quick links" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
          <start:Tile Size="2x2" Column="4" Row="4" TileID="903d2b5e-807b-4c7a-8362-0fcc184f97f7" AppUserModelID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"/>
          <start:Tile Size="4x4" Column="0" Row="0" TileID="ad99e7e3-3929-4e54-850c-0956e6dc6296" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App"/>
          <start:Tile Size="4x4" Column="0" Row="0" TileID="e86b4425-e28e-4e59-abeb-39316c1cd0eb" AppUserModelID="Microsoft.BingNews_8wekyb3d8bbwe!AppexNews"/>
          <start:Tile Size="2x2" Column="4" Row="4" TileID="37fe8c50-8b37-41e2-9d8b-f8915ef2b89b" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>
        </start:Group>
        <start:Group Name="LOB apps" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
          <start:Tile Size="2x2" Column="4" Row="4" TileID="10c72642-ef27-4890-8d3b-f5a4b10b2611" AppUserModelID="CmModernAppv.01_g4ype1skzj3jy!App"/>
          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="wpsh..tion_0000000000000000_ea68d408322b5ed8"/>
          <start:Tile Size="2x2" Column="2" Row="2" TileID="68a2c085-a2a5-4849-a3e5-c5f8bd736b8f" AppUserModelID="Microsoft.CorporateAppCenter_8wekyb3d8bbwe!App"/>
        </start:Group>
        <start:Group Name="comms" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
          <start:Tile Size="4x2" Column="0" Row="0" TileID="a39d270e-d013-40a9-879d-eb563c019a4f" AppUserModelID="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"/>
          <start:Tile Size="4x4" Column="0" Row="0" TileID="293e8dd8-c33d-4797-997e-f646902d1e56" AppUserModelID="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar"/>
          <start:Tile Size="2x2" Column="4" Row="4" TileID="2f5a81f5-7f85-42c9-88f7-dd41aa9609f7" AppUserModelID="Microsoft.People_8wekyb3d8bbwe!x4c7a3b7dy2188y46d4ya362y19ac5a5805e5x"/>
        </start:Group>
        <start:Group Name="Office" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
          <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="Microsoft.Office.lync.exe.15"/>
          <start:Tile Size="2x2" Column="4" Row="4" TileID="337be122-44b3-4215-8d6f-75f29af5a722" AppUserModelID="Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim"/>
          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="Microsoft.Office.OUTLOOK.EXE.15"/>
          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="Microsoft.Office.EXCEL.EXE.15"/>
          <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="Microsoft.Office.ONENOTE.EXE.15"/>
          <start:DesktopApplicationTile Size="2x2" Column="4" Row="4" DesktopApplicationID="Microsoft.Office.POWERPNT.EXE.15"/>
        </start:Group>
        <start:Group Name="Edge pinned shortcuts" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
          <start:SecondaryTile AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" TileID="-9513911450" DisplayName="Bing" Size="2x2" Column="0" Row="0" Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x36a8c2e4 -pinnedTimeHigh 0x01d0919b -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000014 http://www.bing.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-9513911450/lowres.png" Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="true" BackgroundColor="#7fffffff"/>
          <start:SecondaryTile AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" TileID="-2360074010" DisplayName="msn" Size="2x2" Column="2" Row="2" Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0xec458ccc -pinnedTimeHigh 0x01d091a0 -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000013 http://www.msn.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-2360074010/hires.png" Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="true" BackgroundColor="#7fffffff"/>
          <start:SecondaryTile AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" TileID="-21368412090" DisplayName="The Verge" Size="2x2" Column="4" Row="4" Arguments="-pinnedSite -contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x00bad87b -pinnedTimeHigh 0x01d091a1 -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000018 http://www.theverge.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-21368412090/squaretile.png" Wide310x150LogoUri="ms-appdata:///local/PinnedTiles/-21368412090/widetile.png" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="true" BackgroundColor="#7fffffff"/>
        </start:Group>
        <start:Group Name="dev tools" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe"/>
          <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WindowsPowerShell\v1.0\powershell.exe"/>
        </start:Group>
      </defaultlayout:StartLayout>
    </StartLayoutCollection>
  </DefaultLayoutOverride>
</LayoutModificationTemplate>

Understanding the schema

In the previous example, the DefaultLayoutOverride element is used to specify a layout that overrides the default Start layout. It contains a StartLayoutCollection. StartLayoutCollection contains a StartLayout, which is made up of a collection of Groups which are, in turn, made up of either Tiles or DesktopApplicationTiles.

Manually creating a layout

For Tile elements, the AppUserModelID can be retrieved with the PowerShell cmdlet Get-StartApps. The app needs to be installed to retrieve this information.

For DesktopApplicationTile elements, the DesktopApplicationID can be retrieved with the PowerShell cmdlet Get-StartApps. The app needs to be installed to retrieve this information.

Secondary tiles

Creating a layout requires some special notes about secondary tiles. In general, the simplest way to correctly specify a SecondaryTile is to generate it using the Export-StartLayout PowerShell cmdlet as specified above.

Note Apps that don't encode enough information in their secondary tiles may not be able to be used effectively in the StartLayout policy.

Generic webpage shortcuts

The simplest mechanism to create a link to a webpage is to use a URL file. This can be manually added to the layout file by specifying the URL in the DesktopApplicationID attribute.

<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="www.bing.com" />

Microsoft Edge secondary tiles

These can be generated by using the Export-StartLayout PowerShell cmdlet as specified above. The following example shows a generated secondary tile:

<start:SecondaryTile 
    AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" 
    TileID="-9513911450" 
    DisplayName="Bing" 
    Size="2x2" 
    Column="0" 
    Row="0" 
    Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x36a8c2e4 -pinnedTimeHigh 0x01d0919b -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000014 http://www.bing.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-9513911450/lowres.png" 
    Wide310x150LogoUri="ms-appx:///" 
    ShowNameOnSquare150x150Logo="true" 
    ShowNameOnWide310x150Logo="true" 
    BackgroundColor="#7fffffff" 
  />

Configuration service provider reference

© 2017 Microsoft