0% found this document useful (0 votes)
103 views31 pages

New Settings in Windows 11

The document lists various administrative template files (.admx) used for configuring settings on Windows machines, categorized by their location (Machine or User) and policy paths. It details specific policy settings, their descriptions, and the supported Windows versions for each setting. The document serves as a reference for system administrators to manage and enforce policies effectively across different Windows environments.

Uploaded by

smtbbllc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
103 views31 pages

New Settings in Windows 11

The document lists various administrative template files (.admx) used for configuring settings on Windows machines, categorized by their location (Machine or User) and policy paths. It details specific policy settings, their descriptions, and the supported Windows versions for each setting. The document serves as a reference for system administrators to manage and enforce policies effectively across different Windows environments.

Uploaded by

smtbbllc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 31

File Name Location

ControlPanelDisplay.admx Machine
Globalization.admx Machine
SecGuide.admx Machine
DnsClient.admx Machine
Printing.admx Machine
Printing.admx Machine
StartMenu.admx Machine
WPN.admx Machine
DeviceInstallation.admx Machine
FileSys.admx Machine
FileSys.admx Machine
FileSys.admx Machine
FileSys.admx Machine
Kerberos.admx Machine
Netlogon.admx Machine
sam.admx Machine
AppxPackageManager.admx Machine
AppxPackageManager.admx Machine
AppxPackageManager.admx Machine
AppPrivacy.admx Machine
AppPrivacy.admx Machine
Taskbar.admx Machine
CloudContent.admx Machine
DataCollection.admx Machine
DataCollection.admx Machine
DataCollection.admx Machine
DataCollection.admx Machine
Sensors.admx Machine
Sensors.admx Machine
Sensors.admx Machine
inetres.admx Machine
WindowsDefender.admx Machine
WindowsDefender.admx Machine
WindowsDefender.admx Machine
WindowsDefender.admx Machine
WindowsDefender.admx Machine
WindowsDefender.admx Machine
WindowsDefender.admx Machine
WindowsDefender.admx Machine
WindowsDefender.admx Machine
TerminalServer.admx Machine
TerminalServer.admx Machine
TenantRestrictions.admx Machine
NewsAndInterests.admx Machine
Passport.admx Machine
WindowsSandbox.admx Machine
WindowsSandbox.admx Machine
WindowsSandbox.admx Machine
WindowsSandbox.admx Machine
WindowsSandbox.admx Machine
WindowsSandbox.admx Machine
WindowsUpdate.admx Machine
TerminalServer.admx User
Printing.admx User
Printing.admx User
Globalization.admx User
StartMenu.admx User
CloudContent.admx User
EAIME.admx User
inetres.admx User
Policy Path
Control Panel\Personalization
Control Panel\Regional and Language Options
MS Security Guide
Network\DNS Client
Printers
Printers
Start Menu and Taskbar
Start Menu and Taskbar\Notifications
System\Device Installation\Device Installation Restrictions
System\Filesystem\NTFS
System\Filesystem\NTFS
System\Filesystem\NTFS
System\Filesystem\NTFS
System\Kerberos
System\Net Logon\DC Locator DNS Records
System\Security Account Manager
Windows Components\App Package Deployment
Windows Components\App Package Deployment
Windows Components\App Package Deployment
Windows Components\App Privacy
Windows Components\App Privacy
Windows Components\Chat
Windows Components\Cloud Content
Windows Components\Data Collection and Preview Builds
Windows Components\Data Collection and Preview Builds
Windows Components\Data Collection and Preview Builds
Windows Components\Data Collection and Preview Builds
Windows Components\Human Presence
Windows Components\Human Presence
Windows Components\Human Presence
Windows Components\Internet Explorer
Windows Components\Microsoft Defender Antivirus
Windows Components\Microsoft Defender Antivirus
Windows Components\Microsoft Defender Antivirus\Device Control
Windows Components\Microsoft Defender Antivirus\Device Control
Windows Components\Microsoft Defender Antivirus\Exclusions
Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection
Windows Components\Microsoft Defender Antivirus\Network Inspection System
Windows Components\Microsoft Defender Antivirus\Real-time Protection
Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
Windows Components\Tenant Restrictions
Windows Components\Widgets
Windows Components\Windows Hello for Business
Windows Components\Windows Sandbox
Windows Components\Windows Sandbox
Windows Components\Windows Sandbox
Windows Components\Windows Sandbox
Windows Components\Windows Sandbox
Windows Components\Windows Sandbox
Windows Components\Windows Update\Manage updates offered from Windows Server Update Service
AutoSubscription
Control Panel\Printers
Control Panel\Printers
Control Panel\Regional and Language Options
Start Menu and Taskbar
Windows Components\Cloud Content
Windows Components\IME
Windows Components\Internet Explorer
Policy Setting Name
Prevent lock screen background motion
Restrict Language Pack and Language Feature Installation
Limits print driver installation to Administrators
Configure DNS over HTTPS (DoH) name resolution
Enable Device Control Printing Restrictions
List of Approved USB-connected print devices
Show or hide "Most used" list from Start menu
Enables group policy for the WNS FQDN
Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
Enable NTFS non-paged pool usage
NTFS default tier
NTFS parallel flush threshold
NTFS parallel flush worker threads
Allow retrieving the cloud kerberos ticket during the logon
Use lowercase DNS host names when registering domain controller SRV records
Configure validation of ROCA-vulnerable WHfB keys during authentication
Archive infrequently used apps
Not allow sideloaded apps to auto-update in the background
Not allow sideloaded apps to auto-update in the background on a metered network
Let Windows apps take screenshots of various windows or displays
Let Windows apps turn off the screenshot border
Configures the Chat icon on the taskbar
Turn off cloud consumer account state content
Disable OneSettings Downloads
Enable OneSettings Auditing
Limit Diagnostic Log Collection
Limit Dump Collection
Force Instant Lock
Force Instant Wake
Lock Timeout
Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC.
Configure scheduled task times randomization window
Define the directory path to copy support log files
Define device control policy groups
Define device control policy rules
Ip Address Exclusions
This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server.
This setting controls datagram processing for network protection.
Turn on script scanning
Allows Microsoft Defender Antivirus to update and communicate over a metered connection.
Allow UI Automation redirection
Do not allow location redirection
Cloud Policy Details
Allow widgets
Use cloud trust for on-premises authentication
Allow audio input in Windows Sandbox
Allow clipboard sharing with Windows Sandbox
Allow networking in Windows Sandbox
Allow printer sharing with Windows Sandbox
Allow vGPU sharing for Windows Sandbox
Allow video input in Windows Sandbox
Specify source service for specific classes of Windows Updates
Enable auto-subscription
Enable Device Control Printing Restrictions
List of Approved USB-connected print devices
Restrict Language Pack and Language Feature Installation
Show or hide "Most used" list from Start menu
Turn off Spotlight collection on Desktop
Configure Korean IME version
Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC.
HKLM\Software\Policies\Microsoft\Windows\Personalization!AnimateLockScreenBackground
HKLM\Software\Policies\Microsoft\Control Panel\International!RestrictLanguagePacksAndFeaturesInstall
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!RestrictDriverInstallationToAdministrators
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!DoHPolicy
HKLM\Software\Policies\Microsoft\Windows NT\Printers!EnableDeviceControl
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ApprovedUsbPrintDevices
HKLM\Software\Policies\Microsoft\Windows\Explorer!ShowOrHideMostUsedApps
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!WnsEndpoint
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!AllowDenyLayered
HKLM\System\CurrentControlSet\Policies!NtfsForceNonPagedPoolAllocation
HKLM\System\CurrentControlSet\Policies!NtfsDefaultTier
HKLM\System\CurrentControlSet\Policies!NtfsParallelFlushThreshold
HKLM\System\CurrentControlSet\Policies!NtfsParallelFlushWorkers
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!CloudKerberosTicketRetrievalEna
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsSrvRecordUseLowerCaseHostNames
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SAM!SamNGCKeyROCAValidation
HKLM\Software\Policies\Microsoft\Windows\Appx!AllowAutomaticAppArchiving
HKLM\Software\Policies\Microsoft\Windows\Appx!DisableBackgroundAutoUpdates
HKLM\Software\Policies\Microsoft\Windows\Appx!DisableMeteredNetworkBackgroundAutoUpdates
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessGraphicsCaptureProgrammatic HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessGraphicsCaptureWithoutBorder HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows\Windows Chat!ChatIcon
HKLM\Software\Policies\Microsoft\Windows\CloudContent!DisableConsumerAccountStateContent
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableOneSettingsDownloads
HKLM\Software\Policies\Microsoft\Windows\DataCollection!EnableOneSettingsAuditing
HKLM\Software\Policies\Microsoft\Windows\DataCollection!LimitDiagnosticLogCollection
HKLM\Software\Policies\Microsoft\Windows\DataCollection!LimitDumpCollection
HKLM\Software\Policies\Microsoft\HumanPresence!ForceInstantLock; HKLM\Software\Policies\Microsoft\HumanPresence!Fo
HKLM\Software\Policies\Microsoft\HumanPresence!ForceInstantWake; HKLM\Software\Policies\Microsoft\HumanPresence!
HKLM\Software\Policies\Microsoft\HumanPresence!ForceLockTimeout
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!JScriptReplacement
HKLM\Software\Policies\Microsoft\Windows Defender!SchedulerRandomizationTime; HKLM\Software\Policies\Microsoft\Wi
HKLM\Software\Policies\Microsoft\Windows Defender!SupportLogLocation
HKLM\Software\Policies\Microsoft\Windows Defender\Device Control\Policy Groups!PolicyGroups
HKLM\Software\Policies\Microsoft\Windows Defender\Device Control\Policy Rules!PolicyRules
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!Exclusions_IpAddresses; HKLM\Software\Policies\Microsoft
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection!AllowNetworkP
HKLM\Software\Policies\Microsoft\Windows Defender\NIS!DisableDatagramProcessing
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableScriptScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!MeteredConnectionUpdates
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!EnableUiaRedirection
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableLocationRedir
HKLM\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload!cloudid HKLM\SOFTWARE\Policies\Microsoft\Wi
HKLM\SOFTWARE\Policies\Microsoft\Dsh!AllowNewsAndInterests
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!UseCloudTrustForOnPremAuth
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowAudioInput
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowClipboardRedirection
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowNetworking
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowPrinterRedirection
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowVGPU
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowVideoInput
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!UseUpdateClassPolicySource HKLM\Software\Policies\Mic
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AutoSubscription
HKCU\Software\Policies\Microsoft\Windows NT\Printers!EnableDeviceControl
HKCU\Software\Policies\Microsoft\Windows NT\Printers!ApprovedUsbPrintDevices
HKCU\Software\Policies\Microsoft\Control Panel\International!RestrictLanguagePacksAndFeaturesInstall
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowOrHideMostUsedApps
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableSpotlightCollectionOnDesktop
HKCU\Software\Policies\Microsoft\InputMethod\Settings\KOR!ConfigureImeVersion
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!JScriptReplacement
Supported On
At least Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2008 R2 or Windows 7
At least Windows Vista
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10 Version 2106
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10 Version 2106
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
Unknown
At least Windows Vista
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10 Version 2106
At least Windows Server 2016 Windows 10 Version 2106
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10 Version 1909
At least Windows Server 2016 Windows 10 Version 1909
At least Windows Server 2016 Windows 10 Version 1909
At least Windows Server 2016 Windows 10 Version 1909
At least Windows Server 2016 Windows 10 Version 1909
At least Windows 10
At least Windows 10
At least Windows 10
At least Internet Explorer 11.0
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows Server 2016 Windows 10 Version 1607
Unknown
Unknown
At least Windows Server 2016 Windows 10 Version 1709
At least Windows Server 2016 Windows 10 Version 1709
At least Windows Server 2016 Windows 10 Version 1709
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows Server 2012 Windows 8 or Windows RT
Unknown
Unknown
At least Windows 10 Version 1909
At least Windows 10
At least Windows 10
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
At least Windows Server 2016 Windows 10 Version 2106
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10 Version 2106
At least Windows 10
Unknown
At least Internet Explorer 11.0
This policy setting controls whether the lock screen image is static or has a subtle panning effect driven by the device's acceler
This policy setting restricts all users from installing language packs and language features on demand packages. This policy
Determines whether users that aren't Administrator can install print drivers on this computer.By default users that aren't Adm
Specifies if the DNS client will perform name resolution over DNS over HTTPS (DoH).By default the DNS client will do classic DN
Determines whether Device Control Printing Restrictions are enforced for printing on this computer. By default ther
This setting is a component of the Device Control Printing Restrictions. To use this setting enable Device Control Printing
If you enable this policy setting you can configure Start menu to show or hide the list of user's most used apps regardless of us
This policy sets a special WNS FQDN for specific environments.
This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one
By default NTFS allocates memory from both pageable and non-pageable memory as needed. Enabling this setting tells NTFS
For NTFS tiered volumes this controls the tier that new allocations go to by default.Client systems default to the Performance
When flushing modified file data from memory NTFS chooses to use one or more threads based on how many files are current
When flushing modified file data from memory NTFS chooses to use one or more threads based on how many files are current
This policy setting allows retrieving the cloud kerberos ticket during the logon.If you disable or do not configure this policy setti
This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host nam
This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vu
This policy setting controls whether the system can archive infrequently used apps.If you enable this policy setting then the sy
Manages a sideloaded apps' ability to auto-update in the background. If you enable this policy sideloaded apps will not au
Manages a sideloaded apps' ability to auto-update in the background on a metered network. If you enable this policy side
This policy setting specifies whether Windows apps can take screenshots of various windows or displays.You can specify eithe
This policy setting specifies whether Windows apps can turn off the screenshot border.You can specify either a default setting
This policy setting allows you to configure the Chat icon on the taskbar.If you enable this policy setting and set it to Show the C
This policy setting lets you turn off cloud consumer account state content in all Windows experiences. If you enable this
This policy setting controls whether Windows attempts to connect with the OneSettings service.If you enable this policy Windo
This policy setting controls whether Windows records attempts to connect with the OneSettings service to the EventLog.If you
This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot
This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem
Determines whether Lock on Leave is forced on/off by the MDM policy. The user will not be able to change this setting and the
Determines whether Wake On Arrival is forced on/off by the MDM policy. The user will not be able to change this setting and
Determines the timeout for Lock on Leave forced by the MDM policy. The user will be unable to change this setting and the to
This policy setting specifies whether JScript or JScript9Legacy is loaded for MSHTML/WebOC based invocations. If you enab
This policy setting allows you to configure scheduled scan start time and the scheduled security intelligence update start time
This policy setting allows you to configure the directory path where the support log files would be copied to. The value of this
Please follow the device control policy groups xml schema to fill out the policy groups data.
Please follow the device control policy rules xml schema to fill out the policy rules data.
Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
Disabled (Default): If Not Configured or Disabled network protection is not allowed to be configured into block or audit m
Disabled (Default): If Not Configured or Disabled network protection is not allowed to be configured into block or audit m
This policy setting allows you to configure script scanning. If you enable or do not configure this setting script scanning will b
Disabled (Default): Updates and communications are not allowed over metered connections. Enabled: Allow managed
This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can a
This policy setting lets you control the redirection of location data to the remote computer in a Remote Desktop Services sessi
This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory.When you enable t
This policy specifies whether the widgets feature is allowed on the device.Widgets will be turned on by default unless you cha
Use this policy setting to configure Windows Hello for Business to use Azure AD Kerberos for on-premises authentication.If you
This policy setting enables or disables audio input to the Sandbox. If you enable this policy setting Windows Sandbox will be ab
This policy setting enables or disables clipboard sharing with the sandbox.If you enable this policy setting copy and paste betw
This policy setting enables or disables networking in the sandbox. You can disable network access to decrease the attack surfa
This policy setting enables or disables printer sharing from the host into the Sandbox.If you enable this policy setting host prin
This policy setting is to enable or disable the virtualized GPU. If you enable this policy setting vGPU will be supported in the Wi
This policy setting enables or disables video input to the Sandbox. If you enable this policy setting video input is enabled in Win
When this policy is enabled devices will receive Windows updates for the classes listed from the specified update source: eithe
Controls the list of URLs that the user should be auto-subscribed to
Determines whether Device Control Printing Restrictions are enforced for printing on this computer. By default ther
This setting is a component of the Device Control Printing Restrictions. To use this setting enable Device Control Printing
This policy setting restricts the user from installing language packs and language features on demand. This policy does not
If you enable this policy setting you can configure Start menu to show or hide the list of user's most used apps regardless of us
This policy setting removes the Spotlight collection setting in Personalization rendering the user unable to select and subseque
This policy setting controls the version of Microsoft IME.​If you don’t configure this policy setting user can control IME version t
This policy setting specifies whether JScript or JScript9Legacy is loaded for MSHTML/WebOC based invocations. If you enab
has an accelerometer) the user will see the lock screen background pan around a still image as they physically move their device.
ers." If you enable this policy setting the installation of language packs and language features is prevented for all users. If you dis
ter.If you disable this setting the system will not limit installation of print drivers to this computer.Additional Information: https://support.
one of the following options from the drop-down list:Prohibit DoH: No DoH name resolution will be performed.Allow DoH: Perform DoH q
porate network or approved USB-connected printers. If you disable this setting or do not configure it there are no restrictions to prin
e if the current USB connected printer is approved for local printing. Type all the approved vid/pid combinations (separated by comm
e hidden and user cannot change to show it using the Settings app.Selecting "Not Configured" or if you disable or do not configure this pol

more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify devic
tack usage at the cost of additional memory consumption.A reboot is required for this setting to take effect

pact on other concurrent IO operations.Values with special meaning: 0: Use the system calculated default 1: Disable parallel flushThe d

de to delete any previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual c
CVE-2017-15361https://en.wikipedia.org/wiki/ROCA_vulnerabilityIf you enable this policy setting the following options are supported:Igno
ng (default) then the system will follow default behavior which is to periodically check for and archive infrequently used apps and the user

Default is 'disabled' (key not present).


werShell cmdlet. A per-app setting overrides the default setting.If you choose the "User is in control" option employees in your organizatio
A per-app setting overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whe
sers can show or hide it in Settings.If you enable this policy setting and set it to Disabled the Chat icon will not be displayed and users cann
nfigure this policy Windows experiences will be able to use cloud consumer account state content.
ervice to download configuration settings.
r don't configure this policy setting Windows will not record attempts to connect with the OneSettings service to the EventLog.
e collected.If you disable or do not configure this policy setting we may occasionally collect diagnostic logs if the device has been configur
ps and user mode triage dumps.If you disable or do not configure this policy setting we may occasionally collect full or heap dumps if the u

le this setting you must pick a randomization window in hours. The possible randomization window interval is between 1 and 23 hours.
his setting the support logs files will not be copied to any location.

Note that this configuration is dependent on the EnableNetworkProtection configuration. If this configuration is false EnableNetworkProte
Note that this configuration is dependent on the EnableNetworkProtection configuration. If this configuration is false EnableNetworkProte

interact with the UI in order to work properly. UI information also allows automated test scripts to interact with the UI.Remote Desktop s
sable or do not configure this policy setting users can redirect their location data to the remote computer.
nt is required and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Res
gure this policy setting Windows Hello for Business will use a key or certificate (depending on other policy settings) for on-premises authe
o input from the user. Applications using a microphone may not function properly with this setting.If you do not configure this policy settin
clipboard sharing will be enabled.
u disable this policy setting networking is disabled in Windows Sandbox.If you do not configure this policy setting networking will be enab
g printer redirection will be disabled.
GPU will be enabled. Note that enabling virtualized GPU can potentially increase the attack surface of the sandbox.
o not configure this policy setting video input will be disabled. Applications that use video input may not function properly in Windows San
Microsoft update service location via the “Specify intranet Microsoft update service location” policy. If this policy is not configured or i

porate network or approved USB-connected printers. If you disable this setting or do not configure it there are no restrictions to prin
e if the current USB connected printer is approved for local printing. Type all the approved vid/pid combinations (separated by comm
er." If you enable this policy setting the installation of language packs and language features is prevented for the user. If you disa
e hidden and user cannot change to show it using the Settings app.Selecting "Not Configured" or if you disable or do not configure this pol
o not configure this policy "Spotlight collection" will appear as an option in Personalization settings allowing the user to select "Spotlight c
sable this user is not allowed to control IME version to use. The new Microsoft IME is always selected.This Policy setting applies only to Mic
lly move their device.
ted for all users. If you disable or do not configure this policy setting there is no language packs or feature installation restriction for an
Information: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july
ed.Allow DoH: Perform DoH queries if the configured DNS servers support it. If they don't support it try classic name resolution.Require Do
here are no restrictions to printing based on connection type or printer Make/Model.
mbinations (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the
le or do not configure this policy setting all will allow users to turn on or off the display of "Most used" list using the Settings app. This is de

olicy settings that specify device match criteria is as follows:Device instance IDs > Device IDs > Device setup class > Removable devicesDev

1: Disable parallel flushThe default value and limit for this setting varies based on the number of available processors on a given system:

mation and potential manual cleanup procedures see the link below.If disabled domain controllers will use their configured DNS host nam
ng options are supported:Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability.Au
uently used apps and the user will be able to configure this setting themselves.

employees in your organization can decide whether Windows apps can take screenshots of various windows or displays by using Settings
r organization can decide whether Windows apps can turn off the screenshot border by using Settings > Privacy on the device.If you choos
ot be displayed and users cannot show or hide it in Settings.If you disable or do not configure this policy setting the Chat icon will be config

ce to the EventLog.
f the device has been configured to send optional diagnostic data.
ect full or heap dumps if the user has opted to send optional diagnostic data.

is between 1 and 23 hours.

on is false EnableNetworkProtection will be ignored otherwise network protection will start on Windows Server depending on the value of
on is false EnableNetworkProtection will be ignored otherwise network protection will start on Windows Server depending on the value of

with the UI.Remote Desktop sessions don't currently support UI Automation redirection.If you enable or don't configure this policy setting

Refer to Azure AD Tenant Restrictions for more details.https://go.microsoft.com/fwlink/?linkid=2148762Before enabling firewall protectio
ettings) for on-premises authentication. NOTE: An environment that enables both this policy setting and the "Use Windows Hello for Busin
not configure this policy setting audio input will be enabled. Note that there may be security implications of exposing host audio input to t

etting networking will be enabled. Note that enabling networking can expose untrusted applications to the internal network.

tion properly in Windows Sandbox. Note that there may be security implications of exposing host video input to the container.
his policy is not configured or is disabled the device will continue to detect updates per your other policy configurations. Note: If you a

here are no restrictions to printing based on connection type or printer Make/Model.


mbinations (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the
ed for the user. If you disable or do not configure this policy setting there is no language packs or language features installation restric
le or do not configure this policy setting all will allow users to turn on or off the display of "Most used" list using the Settings app. This is de
the user to select "Spotlight collection" as the Desktop provider and display daily images from Microsoft on the desktop.
olicy setting applies only to Microsoft Korean IME.Note: Changes to this setting will not take effect until the user logs off.
re installation restriction for any user.
drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7 for additional information.
ic name resolution.Require DoH: Allow only DoH name resolution. If there are no DoH capable DNS servers configured name resolution w

int to a USB printer queue the device vid/pid will be compared to the approved list.
sing the Settings app. This is default behavior.Note: configuring this policy to "Show" or "Hide" on supported versions of Windows 10 will s

class > Removable devicesDevice instance IDs1. Prevent installation of devices using drivers that match these device instance IDs2. Allow in

processors on a given system: - Default value calculation is: (([NumProcessors]/2) + 1) - Default max value calculation is: ([NumProcesso

heir configured DNS host name as-is when registering domain controller SRV records.If not configured domain controllers will default to u
for the ROCA vulnerability.Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the

s or displays by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed to take screensho
acy on the device.If you choose the "Force Allow" option Windows apps are allowed to turn off the screenshot border and employees in y
ng the Chat icon will be configured according to the defaults for your Windows edition.

ver depending on the value of EnableNetworkProtection.


ver depending on the value of EnableNetworkProtection.

n't configure this policy setting any UI Automation clients on your local computer can interact with remote apps. For example you can use

fore enabling firewall protection ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has b
"Use Windows Hello for Business" policy setting requires one or more Windows Server 2016 domain controllers. Otherwise Windows Hel
exposing host audio input to the container.

nternal network.

ut to the container.
figurations. Note: If you are using “Do not allow deferral policies to cause scans against Windows Update” currently to ensure devices

int to a USB printer queue the device vid/pid will be compared to the approved list.
age features installation restriction for the user.
sing the Settings app. This is default behavior.Note: configuring this policy to "Show" or "Hide" on supported versions of Windows 10 will s
the desktop.
user logs off.
ormation.
configured name resolution will fail.If you disable this policy setting or if you do not configure this policy setting computers will use locally

versions of Windows 10 will supercede any policy setting of "Remove frequent programs list from the Start Menu" (which manages same

e device instance IDs2. Allow installation of devices using drivers that match these device instance IDsDevice IDs3. Prevent installation of d

e calculation is: ([NumProcessors]*2)

in controllers will default to using their local configuration.The default local configuration is enabled.A reboot is not required for changes
fB keys that are subject to the ROCA vulnerability (authentications will still succeed).Block: during authentication the domain controller w

are allowed to take screenshots of various windows or displays and employees in your organization cannot change it.If you choose the "Fo
hot border and employees in your organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to t

pps. For example you can use your local computer's Narrator and Magnifier clients to interact with UI on a web page you opened in a rem

orrectly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will pre
llers. Otherwise Windows Hello for Business authentication will fail.

te” currently to ensure devices only scan against your specified server we recommend configuring this policy instead or in addition to such

versions of Windows 10 will supercede any policy setting of "Remove frequent programs list from the Start Menu" (which manages same
tting computers will use locally configured settings.

Menu" (which manages same part of Start menu but with fewer options).

IDs3. Prevent installation of devices using drivers that match these device IDs4. Allow installation of devices using drivers that match thes

ot is not required for changes to this setting to take effect.More information is available at https://aka.ms/lowercasehostnamesrvrecord
ation the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail).This settin

change it.If you choose the "Force Deny" option Windows apps are not allowed to take screenshots of various windows or displays and em
dows apps are not allowed to turn off the screenshot border and employees in your organization cannot change it.If you disable or do not

web page you opened in a remote session.If you disable this policy setting UI Automation clients running on your local computer can't inte

sponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting is not supported on all versions
instead or in addition to such.

Menu" (which manages same part of Start menu but with fewer options).
s using drivers that match these device IDsDevice setup class5. Prevent installation of devices using drivers that match these device setup

wercasehostnamesrvrecord
entications will fail).This setting only takes effect on domain controllers.If not configured domain controllers will default to using their loca

us windows or displays and employees in your organization cannot change it.If you disable or do not configure this policy setting employee
nge it.If you disable or do not configure this policy setting employees in your organization can decide whether Windows apps can turn off

your local computer can't interact with remote apps.

s not supported on all versions of Windows - see the following link for more information. For details about setting up WDAC with tenant re
hat match these device setup classes6. Allow installation of devices using drivers that match these device setup classesRemovable devices

will default to using their local configuration. The default local configuration is Audit.A reboot is not required for changes to this setting to

re this policy setting employees in your organization can decide whether Windows apps can take screenshots of various windows or displa
er Windows apps can turn off the screenshot border by using Settings > Privacy on the device.If an app is open when this Group Policy obje

etting up WDAC with tenant restrictions see https://go.microsoft.com/fwlink/?linkid=2155230


tup classesRemovable devices7. Prevent installation of removable devicesNOTE: This policy setting provides more granular control than th

d for changes to this setting to take effect.Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate m

s of various windows or displays by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a d
en when this Group Policy object is applied on a device employees must restart the app or device for the policy changes to be applied to th
more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting po

et to Block until appropriate mitigations have been performed for example patching of vulnerable TPMs.More information is available at h

Policy object is applied on a device employees must restart the app or device for the policy changes to be applied to the app.
icy changes to be applied to the app.
y setting. If these conflicting policy settings are enabled at the same time the "Apply layered order of evaluation for Allow and Prevent dev

re information is available at https://go.microsoft.com/fwlink/?linkid=2116430.

pplied to the app.


tion for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy se
nabled and the other policy setting will be ignored.If you disable or do not configure this policy setting the default evaluation is used. By de
efault evaluation is used. By default all "Prevent installation..." policy settings have precedence over any other policy setting that allows W
er policy setting that allows Windows to install a device.

You might also like