Skip to main content
Matrix42 Self-Service Help Center

Tags Guide Part IV: Windows 10, Windows 10 Mobile

Profile

Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.

Exchange Active Sync

Setting Windows 10 Windows 10 Mobile Description
Exchange ActiveSync Settings Enabled or Disabled Enabled or Disabled Enables Profile
Label e.g. Imagoverum Exchange or  e.g. {firstname} e.g. Imagoverum Exchange The Label for the Email Account as it appears on the device.
Server Name e.g. outlook.office365.com  e.g. outlook.office365.com  External Exchange Active Sync address 
Domain e.g. Imagoverum e.g. Imagoverum Internal Domain Suffix for the Exchange Server
Sync Interval
  • Sync on received
  • Manual
  • 15 minutes
  • 30 minutes
  • 60 Minutes 
  • Sync on received
  • Manual
  • 15 minutes
  • 30 minutes
  • 60 Minutes 
E-Mail synchronization interval
Past Days of Mail to Sync
  • Sync on received
  • Manual
  • 15 minutes
  • 30 minutes
  • 60 Minutes 
  • Unlimited
  • Three days
  • One Week
  • Two Weeks
  • One Month
Period of mail to synchronize to the device
Use SSL Enabled or Disabled Enabled or Disabled If the URL for the External Mail Server is protected by an SSL Certificate then use SSL.
Use Custom Username Variable e.g. {CustLdapVar0} or support@imagoverum.com e.g. {CustLdapVar0} or support@imagoverum.com Define a Custom Variable Attribute for the Username for the EAS Profile.
Use Custom Email Variable e.g. {CustLdapVar0} or tim.tober@imagoverum.com e.g. {CustLdapVar0} or tim.tober@imagoverum.com Define a Custom Variable Attribute for the Email Address for the EAS Profile.
Use Custom Password Variable e.g. {UserPassword} or Pa$$w0rd  e.g. {UserPassword} or Pa$$w0rd  Define a Custom Variable Attribute for the Email Password for the EAS Profile.

Email

Setting Windows 10 Windows 10 Mobile Description
Email Settings not available Enabled or Disabled Enables Email Settings
Email Address not available e.g. {UserEmail} or support@imagoverum.com Defines Email Address of the Account
User Display Name not available e.g. {UserName} or Tim Tober Defines  Display Name of the User for this Email Account
Account Description not available e.g. Imagoverum Mail Defines Friendly Name of this Email Account
Account Type not available
  • IMAP
  • POP
Toggles between IMAP and POP Account Types
Domain not available e.g. Imagoverum The Internal Domain Suffix for the Mail Server
Auth Name not available e.g. Username Username used when performing authenticating
Auth Password not available Enable Embed User Password or e.g. Pa$$w0rd Password used when authenticating
Mail Sync Days not available
  • Unlimited
  • One Week
  • Two Weeks
  • One Month
How far from the past mails will be synchronized
Sync Interval not available
  • Manual
  • 15 Minutes
  • 30 Minutes
  • 1 hour
  • 2 hours

 

How often the device check for new mail items.
Incoming Mail
Incoming Mail Server not available e.g. imap-mail.outlook.com or pop-mail.outlook.com Server settings for the Incoming Mail Server
Use SSL not available Enabled or Disabled Enabled the usage of SSL
Outgoing Mail
Outgoing Mail Server not available e.g. imap-mail.outlook.com or pop-mail.outlook.com Server settings for the Outgoing Mail Server
Requires Authentication not available Enabled or Disabled Can be enabled when the outgoing server requires authentication
Use SSL not available Enabled or Disabled Enabled the usage of SSL
Alternative SMTP Settings
Enable Alternative SMTP not available Enabled or Disabled Enables alternative SMPT settings
Domain not available e.g. Imagoverum The Internal Domain Suffix for the Mail Server
Auth Name not available e.g. Username Username used when performing authenticating.
Password not available Enable Embed User Password or e.g. Pa$$w0rd Password used when authenticating

Passcode

Setting Windows 10 Mobile Windows 10 Description
Passcode Settings Enabled or Disabled Enabled or Disabled Enables Passcode Settings
Allow Simple Enabled or Disabled Not available Permit the use of repeating, ascending or descending characters
Allow Convenience Login Not available Enabled or Disabled Allows the usage of picture password as Login method
Complexity
  • Any Complexity
  • Numeric
  • Alpha Numeric
not available Character groups that required to be used in the User’s passcode
Minimum Length 4-18 6-23 The smallest number of passcode characters allowed
Minimum Complex characters 1-4 3 Smallest number of non-alphanumeric characters allowed. If ‘Allow Simple’ is checked, then this configuration is disabled.
Maximum Passcode Age - 1-730 days or none 1-730 or empty Not available How often passcode must be changed
Auto-lock (minutes) e.g. 15 1-1200 Device automatically locks due to inactivity after this time period
Passcode history (1-50 passcodes, or none) 1-50 or empty not available Number of unique passcodes required before reuse
Maximum Failed Attempts e.g. 10 4-16 Number of passcode entry attempts allowed before the device is reset to factory settings

Restrictions

Windows 10 Restrictions

The restrictions are part of the Policy Configuration Service Provider from Microsoft.  

Setting Availability Options Requirement Description
Above Lock Screen    
Allow Cortana Above Lock Screen
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not allowed
  • Allowed
  • 1607
Specifies whether or not the user can interact with Cortana using speech while the system is locked. If enabled, the user can interact with Cortana using speech while the system is locked. If disabled, the system will need to be unlocked for the user to interact with Cortana using speech.
Allow Toasts
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not allowed
  • Allowed
  Specifies whether to allow toast notifications above the device lock screen
Accounts    
Allow User to Add Non-Microsoft Accounts Manually
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not allowed
  • Allowed
  Specifies if the user is allowed to add non-MSA email accounts
Allow Microsoft Account for Non Email Related Services
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not allowed
  • Allowed

 

Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
Allow Microsoft Account Sign In Assistant
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not allowed
  • Allowed
  • 1703

Disables the Microsoft Account Sign-In Assistant (wlidsvc) NT service. 

If disabled Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher

Application Management    
Allow App Store Auto Update
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  Configures if automatic app updates from Microsoft Store are allowed or not.
Allow Windows Game Recording and Broadcasting
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  Controls whether DVR and broadcasting is allowed.
Allow Shared User AppData
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  This settings configures if application data can be shared among multiple users on the system and with other instances of that app. Disabling this setting will not delete existing shared data in the SharedLocal folder. 
Disable All Apps From Microsoft Store
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1607
Enabling this setting, will prevent the launch of all pre-installed or downloaded apps from the Microsoft Store
Allow User Control Over Installs
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1803
Permits users to change installation options that typically are available only to system administrators. 
Allow MSI Always Install With Elevated Privileges
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1803
Directs Windows Installer to use elevated permissions when it installs any program on the system
Only Display the Private Store Within the Microsoft Store
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  If disabled, both public and private store are allowed. If enabled only the private or corporate store is enabled. 
Prevent Users` App Data From Being Stored on Non-System Volumes
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  Controls if application data is restricted to the system drive or not.
Disable Installing Windows Apps on Non-System Volumes
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  Controls whether the installation of applications is restricted to the system drive or not.
Allow All Trusted Apps to Install
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Explicit deny
  • Explicit allow unlock
  Allows to control if non Microsoft Store apps are allowed
Allow Developer Unlock
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Explicit deny
  • Explicit allow unlock
  Specifies whether developer unlock is allowed or not.
Audit    
Audit Account Lockout
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903

Allows to control audit events generated by a failed attempt to log on to an account that is locked out.

Depending on the configuration an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts.

Audit Group Membership
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Configures audit setting for the group membership information in the user's logon token. Events are generated on the computer on which a logon session is created and for each successful logon.

For an interactive logon, audit events are generated on the computer that the user logged on to.

For a network logon, such as accessing a shared folder on the network, audit event are generated on the hosting computer.

You must also enable the Audit Logon setting

Audit IPsec Extended Mode
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
Audit IPsec Main Mode
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None 
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
Audit IPsec Quick Mode
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
Audit Logoff
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.
Audit Logon
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903 
Allows to control audit events generated by user account logon attempts on the device.  
Audit Network Policy Server
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Success+Failure
  • Off/None
  • Success
  • Failure
  • 1903

Configures audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be grant, deny, discard, quarantine, lock and unlock.

  • Success - audits record successful user access requests
  • Failure - audits record unsuccessful attempts.
  • Off/None -  IAS and NAP user access requests are not audited.
Audit Other Logon Logoff Events
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to configure audit other login or logoff related events. These includes: 

  • Terminal Services session disconnection.
  • New Terminal Services sessions.
  • Locking and unlocking a workstation.
  • Invoking a screen saver.
  • Dismissal of a screen saver.
  • Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration.
  • Access to a wireless network granted to a user or computer account.
  • Access to a wired 802.1x network granted to a user or computer account.
Audit Special Logon
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903

Configures audit events generated with special logons like: 

  • Usage of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
  • A logon by a member of a Special Group. A list of group security identifiers can be configured in the registry. Please refer to Audit Special Logon for more information
Audit User Device Claims
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to configure audit events for user and device claims information in the user's logon token. 

Events are generated on the computer on which a logon session is created and for each successful logon.

For an interactive logon, audit events are generated on the computer that the user logged on to.

For a network logon, such as accessing a shared folder on the network, audit event are generated on the hosting computer.

You must also enable the Audit Logon setting

Audit Credential Validation
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by validation test on user account logon credentials. 
Audit Kerberos Authentication Service
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None 
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by Kerberos authentication ticket-granting ticket (TGT) request. 
Audit Kerberos Service Ticket Operations
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts.
Audit Other Account Logon Events
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Specifies to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
Audit Application Group Management
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to control audit events generated by changes to application groups like:

  • Creation, changing or deletion of application groups
  • Adding or removing members from an application group
Audit Computer Account Management
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Configures audit events generated by changes to computer accounts, e.g. when computer accounts are created, changed or deleted. 
Audit Distribution Group Management
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

This setting allows to control configure audit settings for changes to distribution groups like: 

  • Creation, changing or deletion of distribution groups
  • Adding or removing members from a distribution group
  • Type changes of distributions groups
Audit Other Account Management Events
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Specifies the audit events generated by other user account changes like: 

  • Accessed password hashes
  • API calls for policy checking was made
  • Changes to the Default Domain Group Policy under the following paths:
    • Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
    • Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.
Audit Security Group Management
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903

Allows to audit events generated by changes to security groups, such as: 

  • Creation, changing or deletion of security groups
  • Adding or removing members from a security group
  • Type changes of security groups
Audit User Account Management
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903

This configuration allows to audit changes to user accounts. This events includes the following: 

  • A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
  • A user account’s password is set or changed.
  • A security identifier (SID) is added to the SID History of a user account.
  • The directory services restore mode password is configured.
  • Permissions on administrative user accounts are changed.
  • Credential Manager credentials are backed up or restored
Audit Detailed Directory Service Replication
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Controls audit settings to audit events generated by detailed AD DS replication between domain controllers.
Audit Directory Service Access
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to audit events generated when an AD DS object is accessed. 

Only AD DS objects with a matching system access control list (SACL) are logged.

Audit Directory Service Changes
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Specifies the audit events generated by changes to objects in AD DS. Events will be logged when an object is created, deleted, modified, move or undeleted. 

Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged.

Audit Directory Service Replication
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

This setting allows to audit replication between two AD DS domain controllers. 

Events in this subcategory are logged only on domain controllers.

Audit DPAPI Activity
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Controls audit settings generated when encryption or decryption requests are made to the Data Protection application interface. Fore more information about DPAPI please review the following article: Windows Data Protection

Audit PNP Activity
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Specifies the setting for audit events when plug and play detects and external device. 
Audit Process Creation
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to control audit events generated when a process created or starts. 

The name of the application or the user that created the process will be also audited. 

Audit Process Termination
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated when a process ends. 
Audit RPC Events
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Specifies the setting for audit events for inbound remote procedure call connections. 
Audit Token Right Adjusted
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Controls audit settings to audit events generated by adjusting the privileges of a token. 
Audit Application Generated
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
This setting allows to control audit applications that generate events by using the Windows Auditing application interfaces (APIs). 
Audit Central Access Policy Staging
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Specifies audit access requests where permissions are granted or denied by a proposed policy that differs from the current central access policy on an object. 
Audit Certification Services
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events from Active Directory Certificate Services operations. 
Audit Detailed File Share
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Controls audit settings for access files and folders attempts on a shared folder. This allows are more granular logging for File Shares than the Audit File Share setting. Detailed File Share logs an event every time a file or folder is accessed. 

There are no system access control lists (SACLs) for shared folders. If this setting is enabled, access to all shared files and folders on the system is audited.

Audit File Share
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

With this setting it is possible to control audit attempts to access a shared folder. Audit File Share logs one event for any established connection between a client and file share. 

There are no system access control lists (SACLs) for shared folders. If this setting is enabled, access to all shared files and folders on the system is audited.

Audit File System
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Specifies audit settings for user attempts to access file system objects. Audit events are generated each time an account access a file system object with a matching SACL. 
Audit Filtering Platform Connection
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to control audit connections that are allowed or blocked by the Windows Filtering Platform. This includes the following events

  • Firewall Service blocks an application from accepting incoming connections on the network
  • WFP allows or blocks a connection
  • WFP permits and blocks a bind to a local port
  • WFP allows or blocks a connection
  • WFP permits and blocks an application or service to listen on a port for incoming connections
Audit Filtering Platform Packet Drop
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Specifies audit settings for audit packets that are dropped by the Windows Filtering Platform. 
Audit Handle Manipulation
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Controls audit settings for events generated when a handle to an object is opened or closed. 

Only objects with a matching system access control list (SACL) generate security audit events.

Audit Kernel Object
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

With this setting it is possible to control audit events for attempts to access the kernel. This includes mutexes and semaphores. 

Only kernel objects with a matching system access control list (SACL) generate security audit events.

Audit Other Object Access Events
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to control audit events generated by the management of task scheduler jobs or COM+ objects.

The following scheduler jobs are audited:

  • Created, deleted, enabled, disabled or updated Jobs

The following COM+ objects are audited:

  • Added, updated or deleted catalog
Audit Registry
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Controls audit settings for attempts to access registry objects. 

Audit events are generated only for objects that have the SACLs specified and only if the access type such as read, write or modify is requested and the account that makes the requests matches the settings in the SACL. 

Audit Removable Storage
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to define audit settings for attempts to access file system object on a removable storage device by a user. Security audit events are generated only for all objects and for all types of requested access. 
 Audit SAM
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Controls audit settings for events generated by attempts to access Security Account Manager objects. 
Audit Authentication Policy Change
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903

Specifies audit settings for events generated by changes to the authentication policy. Please review authentication policy events here

 

Audit Authorization Policy Change
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit settings for events generated by changes to the authorization policy.  Please review authorization policy events here
Audit Filtering Platform Policy Change
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to define audit settings for events generated by changes to the Windows Filtering Platform, like: 

  • IPsec services status
  • IPsec policy settings changes
  • Windows Firewall policy settings changes.
  • WFP providers and engine changes.

 

Audit MPSSVC Rule Level Policy Change
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Specifies audit settings for events generated by changes in policy rules utilized by the Microsoft Protection Service, which is used by the the Windows Firewalls.  MPSSVC includes the following events:

  • Active policies report when the Firewall service starts
  • Changes to Firewall rules, exception list and settings
  • Ignored or not applied rules
  • Windows Firewall Group Policy settings changes. 
Audit Other Policy Change Events
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to define audit settings for events generated by other security policy changes that are not audited within the policy change category, like 

  • Changes in TPM configuration
  • Kernel-mode cryptographic self test
  • Cryptographic provider and/or context operations or modifications
  • Changes in applied Central Access Policies
  • Modifications in Boot Configuration Data
Audit Policy Change
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903
Controls audit settings for events generated by changes in the security audit policy settings. Please review included events here
Audit Non Sensitive Privilege Use
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None 
  • Success
  • Failure
  • Success+Failure
  • 1903
Controls audit settings for events generated by the use of non sensitive user rights (privileges). Please review nonsensitive privileges here
Audit Other Privilege Use Events
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

This setting is deprecated

 

Audit Sensitive Privilege Use
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to define audit settings for events generated when sensitive user rights are used. Please review audit events here
Audit IPsec Driver
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None 
  • Success
  • Failure
  • Success+Failure
  • 1903

Specifies audit settings for events generated by the IPsec filter driver, such as: 

  • IPsec services startup and shutdown
  • Network packages dropped due
    • Integrity check failure
    • Replay check failure
    • Being in plain text 
  • Network packets received with incorrect SPI 
  • IPsec filter process inability
Audit Other System Events
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Success+Failure
  • Off/None
  • Success
  • Failure
  • 1903

This settings allow to control audit of any of the following events:

  • Windows Firewall service and driver startup and shutdown
  • Security policy processing by the Windows Firewall service
  • Migration and key file cryptography operations.
Audit Security State Change
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903

Defines audit settings for events generated by changes in the security state of the customer, such as:

  • Startup and shutdown
  • System time changes
  • Recovery from CrashOnAuditFail
Audit Security System Extension
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Controls audit settings for events related to security system extensions or services.
Audit System Integrity
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Success+Failure
  • Off/None
  • Success
  • Failure
  • 1903

Allows to control audit events generated in case of integrity violation of the security subsystem. Please review audit events here

 

Authentication    
Allow Azure AD Password Reset
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Disabled
  • 1709
Defines whether password reset is enabled for Azure Active Directory accounts
Allow EAP Cert SSO
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Disabled
  Allows or disallows an EAP certificate based authentication for a single sign on (SSO) to access internal resources.
Allow Fast Reconnect
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Disabled
  Allows or disallows EAP Fast Reconnect from being attempted for EAP Method TLS.
Allow Companion Device for Secondary Authentication
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Disabled
  • 1607
Allows or disallows secondary authentication devices to work with Windows
Allow Enable Fast First Sign In
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • None
  • Enabled
  • Disabled
  • 1809
Configures quick first sign-in experience for a user on Shared PCs. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
Allow Enable Web Sign In
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • None
  • Enabled
  • Disabled
  • 1809
Web Sign-in is a way of signing into a Windows PC and enables Windows logon support for non-ADFS federated providers (e.g. SAML). Only supported for Azure AD Joined PCs
BITS    
Set Default Download Behavior for Background Jobs on Costed Networks
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Always transfer
  • Transfer unless roaming
  • Transfer unless surcharge applies
  • Transfer unless nearing limit
  • Transfer only if unconstrained 
  • 1809
Configures the default behavior that the Background Intelligent Transfer uses for background transfers when the device is connected to a costed network (3G, LTE etc.)
Set Default Download Behavior for Foreground Jobs on Costed Networks
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Always transfer
  • Transfer unless roaming
  • Transfer unless surcharge applies
  • Transfer unless nearing limit
  • Transfer only if unconstrained 
  • 1809
Configures the default behavior that the Background Intelligent Transfer uses for foreground transfers when the device is connected to a costed network (3G, LTE etc.)
Bluetooth    
Allow Advertising
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  Configures if the device can send out Bluetooth advertisement
Allow Discoverable Mode
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  Specifies whether other Bluetooth-enabled devices can discover the managed device
Allow Prepairing
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  • 1607
Allows or disallows specific bundled Bluetooth peripherals to automatically pair with the host device.
Allow Prompted Proximal Connections
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  • 1803
Will allow or block users from using Swift Pair and other proximity based scenarios.
Browser    
Allow Address bar drop-down list suggestions
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. Disable this restriction for minimizing network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. If disabled Microsoft Edge also disables the Show search and site suggestions as I type toggle in Settings.
Allow Browser  
  • Enabled or Disabled
   
Allow Configuration Updates for the Books Library
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1803
If enabled, Microsoft Edge updates configuration data for the Books Library automatically. If disabled  Microsoft Edge will be prevented from updating the configuration data.
Allow Developer Tools
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Prevent users from using the F12 developer tools.
Allow Extensions
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1607
Prevent users from adding or personalizing extensions.
Allow Adobe Flash
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
 

Configure Microsoft Edge to prevent Adobe Flash content from running. 

Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default

Configure the Adobe Flash Click-to-Run Setting
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the Click-to-Run button.  Disabling this will load  Adobe Flash content automatically
Allow FullScreen Mode
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
Configures whether fullscreen mode is allowed or not.
Allow InPrivate Browsing
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  InPrivate Browsing  deletes after closing all tabs to browsing date from the device. This restrictions configures whether InPrivate Browsing is allowed or not.
Allow Microsoft Compatibility List
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat.
Allow Microsoft Edge to Pre-Launch at Windows Startup
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
If enabled, the browser pre-launches as a background process during Windows startup for faster performance and faster launch time. 
Allow Printing
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
Disabling this setting will prevent user from printing web content. 
Allow Saving History
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
Disabling this settings prevents from saving the browsing history. If any  history existed before disabling this setting, the previous browsing history remains in the History pane. Also disabling this setting does not stop roaming of existing browsing history or browsing history from other devices.
Allow Search Engine Customization
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
Configures whether users are allowed from customizing the search engine.
Allow Sideloading of Extensions
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
Sideloading allows to install and run unverified extensions. If disabled, extensions can only be installed through Microsoft Store or Store for Business and PowerShell by using Add-AppxPackage cmdlet. 
Allow Microsoft Edge to Start and Load the Start and New Tab Pages
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
If enabled, Microsoft Edge pre-loads the Start and New Tab pages during Windows Login and each time the browser closes by default for a faster start and new tab loading. 
Allow Always Show the Books Library in Microsoft Edge
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1803
If enabled, the Books Library is only shown in supported regions or countries. If disabled, the Books Library is shown regardless if the country or region is supported. 
Allow Clearing Browsing Data on Exit
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703

Clearing Browsing Data does not take affect by default on the browser, but users can configure this option in the Settings. Browsing data might include sensitive information the user entered like forms, passwords and visited websites. This restriction allows to clear the browsing data automatically each time Microsoft Edge closes. 

  • Disabled - User can configure the option in settings
  • Enabled -  Browsing data will be cleared automatically after closing Microsoft Edge
Configure Additional Search Engines
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703

Users  are allowed to set a default search engine but can't add, change or remove them. This setting allows to set the default engine and add up to five additional search engines.  

You must specify a link to the OpenSearch XML file. Please refer to Search provider discovery.

Configure Kiosk Mode
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
 
Disable Lockdown of Start Pages
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
 
Allow Extended Telemetry for the Books Tab
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1803
If enabled, Microsoft Edge gathers all diagnostic data (e.g usage data) about the books in the Books Library and sends it to Microsoft. 
Configure the Enterprise Mode Site List
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
   
Prevent Changes to Favorites on Microsoft Edge
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1709
If disabled users can import, add and make changes on favorites. If enabled the save a favorite, import settings and context menu items (e.g. create a new folder) are turned off. 
Prevent Access to the about:flags Page in Microsoft Edge
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  If enabled, users will not have access to the about:flags page to change developer settings and enable experimental features. 
Prevent Certificate Error Overrides
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
By default users are allowed to override security warnings to sites that have SSL errors. Enabling will prevent overriding of security warnings. 
Prevent the First Run Webpage From opening on Microsoft Edge
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
If enabled, the welcome page hosted on microsoft.com will not load at the first launch of Microsoft Edge. The welcome page introduces features and helpful tips of Microsoft Edge. 
Prevent Microsoft Edge From Gathering Live Tile Information
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
If enabled, Microsoft Edge is prevented from collecting Live Tile metadata that are used to send them to Microsoft for a better user experience.
Prevent Bypassing Windows Defender SmartScreen Prompts for Sites
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  If disabled, users can ignore warnings about potentially malicious sites and are allowed continue to the site. If enabled Microsoft Edge prevents users from bypassing warnings and blocks continuing to the site. 
Prevent Bypassing Windows Defender SmartScreen Prompts for Files
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  If disabled, users can ignore warnings about potentially malicious files and are allowed continue to download the unverified file(s). If enabled Microsoft Edge prevents users from bypassing warnings and blocks downloads.
Prevent Using Localhost IP Address for WebRTC
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  By default Microsoft Edge shows localhost IP address while making calls using the Web Real-Time Communication protocol. By enabling, this setting hides the localhost IP addresses. 
Send All Intranet Sites to IE 11
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  All Websites, including intranet sites are opened in Microsoft Edge automatically. Enabling this setting loads intranet sites (only) in Internet Explorer 11 automatically. 
Allow Keep Favorites in Sync Between IE and Microsoft Edge
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Enabling this setting turns on the synchronization of favorites between Internet Explorer and Microsoft Edge. 
Allow Unlock Home Button
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
By default, this setting locks down the home button to prevent users from changing the settings. With enabling this settings, users will be able to make changes changes. 
Allow a Shared Books Folder
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1803
This settings allows to configure if Microsoft Edge stores books from the Books Library to the default shared folder in Windows.
Configure Additional Search Engines
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1703
By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. with this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines.
Specify the Location(s) (URL) of OpenSearch XML File
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
 
  • 1703
For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see Search provider discovery.
Configure Autofill
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Allowed (Default)
  • Not allowed
  Prevents that users can choose to use the Autofill feature to populate the form fields automatically. Configure if Microsoft Edge should use Autofill to prevent using it.
Configure Favorites Bar
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Hide bar
  • Show bar
  • 1809

By default, Microsoft edge hides the favorites bar but shows it on the Start and New Pages. Also the Favorites Bar toggle in settings is set to off but users can make changes.

Hide bar hides favorites bar on all pages. Additionally the favorites bar toggle in Settings will be set to off and users will not able to make changes.

Show bar displays the favorites bar on all pages. Additionally the favorites bar toggle in Settings will be set to on and users will not able to make changes

Configure Home Button
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Show home button and load the Start page (Default)
  • Show home button and load the New Tab page
  • Show home button and load the URL page
  • Hide home button
  • 1809
 
Configure Open Microsoft Edge With
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Load specific page (Default)
  • Load start page
  • Load new page
  • Load previous pages
  • 1809
 
Configure Collection of Browsing Data for Microsoft 365 Analytics
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • No data (Default)
  • Send intranet (history)
  • Send internet (history)
  • Send both
  • 1809
This settings allows to configure whether Microsoft Edge send browsing history data to Microsoft 365 Analytics and which history should be transmitted.  
Configure Do Not Track
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Never send (Default)
  • Send
  With this setting, you can configure Microsoft Edge to send or never send tracking information to websites that asking for information.
Configure Password Manager
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Allowed (Default)
  • Not allowed
  Configures if the user can choose to save and managed passwords locally. Not allowed will restrict Microsoft Edge from using the Password Manager. 
Configure the Enterprise Mode Site List
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode.
Specify the Location (URL) of Enterprise Mode Site List
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
    Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the box.

For details on how to configure the Enterprise Mode Site List, see Interoperability and enterprise guidance.

Configure Search Suggestions in Address Bar
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Allowed (Default)
  • Not allowed
  If allowed, users can choose to see search suggestions in the address bar. If not allowed, the search suggestions are hidden
Set Default Search Engine
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Specified for the Market (Default)
  • Specified for OpenSearchXML file
  • 1703

By default, the search engine specified in App settings will be used and users are able to make changes.

Specifies for the Market in uses the Microsoft Edge specified engine for the market.

With Specified for OpenSearchXML file Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file.

Please review Search provider discovery for futher information

Speficy the Location (URL) of OpenSearch XML File
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
 
  • 1703
Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see Search provider discovery. Use this format to specify the link you want to add.
Show message when opening sites in IE
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • No additional message displayed (Default)
  • Show an additional message stating that a site has opened in IE11
  • Show an additional message with a "Keep going in Microsoft Edge" link
 

Configure if Microsoft Edge will display a notification before a site opens in IE11 or let user continue in Edge. By default Microsoft Edge does not show a notification. 

This configuration requires either Send All Intranet Sites to IE 11 as enabled or a configured Enterprise Mode Site List

Allow Web Content on New Tab Page
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Load new page (Default)
  • Load blank page
  • 1809
By default, Microsoft Edge loads the default New Tab page and lets the users make changes. With changing it, a blank page loads instead of the New Tab page and prevents users from changing it.
Configure Cookies
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Allow all (Default)
  • Block all 
  • Block only
  By default, Microsoft Edge allows all cookies from all websites. Configure with this setting if all cookies from all sites, or only cookies from third party websites or all cookies from all sites should be blocked.
Configure Pop-up Blocker
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Turn off blocker (Default)
  • Turn on blocker
 

By default, the Pop-up blocker is turned off which allows to open pop-up windows.

If Turned on, the Pop-up Blocker stops pop-up windows from opening.

Camera    
Allow Camera
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not allowed
  • Allowed
  Specifies whether the user is able to use the device camera or not.
Cellular    
Let Apps Access Cellular Data
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • User is in control
  • Force allow
  • Force deny
  • 1709

Allows to control if Windows 10 apps can access cellular data. 

  • User is in control - Users can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
  • Force allow - Windows apps are allowed to access cellular data and users cannot change it.
  • Force deny -  Windows apps are not allowed to access cellular data and users cannot change it.
Connectivity    
Allow Bluetooth
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
   
Allow Connected Devices
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  • 1703
With this setting it is possible to disable the Connected Devices Platform (CDP) component. CDP is used to enable discovery and connections to other devices to support remote app launch, remote messages, remote app sessions and other cross-device experiences. 
Allow Phone PC Linking
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  • 1803
Disables the ability to link a phone with a PC to continue tasks (e.g reading, emails and related tasks). If the PC is already linked, this setting will remove the device itself from the device list on any linked phone and will prevent from participating from the "Continue on PC" experience
Allow VPN Over Cellular
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  Specifies if cellular is allowed to use for VPN connections. 
Allow VPN Roaming Over Cellular
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  Controls whether the device is allowed or not to connect to VPN when the device is roaming over cellular networks. 
Allow Cellular Data
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Allowed
  • Not allowed
  • Allow but user cannot turn it off
 

Provides the ability to configure cellular data usage settings on the device. 

  • Allow - Allows cellular data and the user is able to turn it off
  • Not allow - Disables cellular data and the user is not able to turn it on
  • Allow but user cannot turn it off - Allows cellular data on the device and prevents the user from turning it off
Allow Cellular Data Roaming
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Allow
  • Not allow
  • Allow but user cannot turn it off
 

Provides the ability to configure cellular data roaming settings on the device. 

  • Allow - Allows cellular data roaming and user is able to turn it off.
  • Not allow – Does not allow cellular data roaming. The user cannot turn it on. 
  • Allow but user cannot turn it off - Allows cellular data roaming on and prevents the user from turning it off.
Control Policy Conflict    
MDM Policy Is Used and the GP Policy Is Blocked
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1803
This restrictions ensures that settings made via the Mobile Device Management protocol will win over Group Policies.
Credential Providers    
Disable the Visibility of the Credentials for Autopilot Reset
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1709
Works inline with the Clean PC option that resets devices and keeps the management enrollment. This setting controls whether the visibility of the credential provider that triggers the PC refresh on a device is enabled or disabled. 
Cryptography    
Allow Fips Algorithm Policy
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  Specifies whether the Federal Information Processing Standard (FIPS) policy is allowed or disallowed. Please review for further information the explanation inside the Group Policy System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing under the following path: Windows Settings/Security Settings/Local Policies/Security Options
Data Protection    
Allow Direct Memory Access
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
 

This restrictions allows to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. 

Requires BitLocker Device Encryption

Delivery Optimization    
Enable Peer Caching While the Device Connects Via VPN
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
Controls if the device is allowed to participate in Peer Caching while connected via VPN to the domain network. 
Absolute Max Cache Size (in GB)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 10
  • 1607
Configures the maximum cache size in GB. A value of zero means unlimited cache. The cache will be cleared if the device is running low in disk space. 
Delay Background Download From Http (in secs)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1803

Allows to delay the use of an HTTP source in a background download that is allowed for peer-to-peer. After the maximum delay is reached, download(s) will resume with HTTP. A download that is waiting for peer source will appear to be stuck for the device user. 

Recommended value is 3600 (1 h)

Delay Background Download Cache Server Fallback (in secs)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1903
Configures the time in seconds to delay the fallback from a Cache Server to the HTTP source for a background content download. 
Delay Foreground download Cache Server Fallback (in secs)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1903

Configures the time in seconds to delay the fallback from a Cache Server to the HTTP source for a foreground content download. 

Delay Foreground Download From Http (in secs) takes precedence to allow download downloads from peers first

Delay Foreground Download From Http (in secs)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1803

Allows to delay the use of an HTTP source in a foreground (interactive) download that is allowed for peer-to-peer. After the maximum delay is reached, download(s) will resume with HTTP. A download that is waiting for peer source will appear to be stuck for the device user. 

Recommended value is 60 (1 Minute). Default value 0 means this setting is managed by the cloud service

Download Mode
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • HTTP blended with peering behind the same NAT (Default)
  • HTTP only
  • The HTTP blended with peering across a private group 
  • HTTP blended  with Internet peering
  • Simple download mode with no peering
  • Bypass mode
  With this setting it is possible to control the download method that Delivery Optimization can use for downloads of Windows Updates, Apps and App updates. 
Select the Source of Group IDs
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • None (Default)
  • AD Site
  • Authenticated domain SID
  • DHCP user option
  • DNS suffix
  Restricts the peer selection to a specific source
Max Cache Age (in secs)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 2592000
 

Controls the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully.

A value of 0 means unlimited . The default value is 259200 which is equal to 3 days. 

Max Cache Size (percentage)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 20
  Controls the maximum percentage of the disk size (1-100) that Delivery Optimization can utilize. 
Max Download Bandwidth (in KB/s)  
  • e.g. 0
 

This setting is deprecated. Use Max Foreground and Background  Download Bandwidth instead. 

Max Upload Bandwidth (in KB/s)  
  • e.g. 0
 

This setting is deprecated. There is no alternate policy available

Min Background QoS (in KB/s)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 500
  • 1607

Defines the minimum download Quality of Service or speed in kb/s. for background downloads. 

Default value is 500

Allow Uploads While the Device Is on Battery (percentage)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1703

Defines the percentage of battery usage to allow the device to upload data to peers while running on battery. Any upload will automatically pause when the battery level falls below that threshold. 

Recommended value is 40. The default values is 0 and means not limited. 

 

Min Disk Size Allowed to Use Peer Caching (in GB)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 32
  • 1703

Configures the required minimum disk size in GB for the device to use Peer Caching. 

Recommended values are 64  to 256 GB. The default value is 32 GB

Min Peer Caching Content File Size (in MB)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 100
  • 1703

Specifies the minimum content file size in MB to use Peer Caching. 

Default value is 100 (MB)

Min RAM Capacity Required to Enable Use of Peer Caching (in GB)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 4
  • 1703

Specifies the minimum RAM  size in GB to use Peer Caching. 

Default value is 4 (GB)

Monthly Upload Data Cap (in GB)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 20
  • 1607

Specifies the maximum total data in GB that Delivery Optimization is allowed to upload to internet peers per calendar month.

Default values is 20. A value of 0 means unlimited

Max Background Download Bandwidth (percentage)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1803

Configures the maximum background download bandwidth percentage that Delivery Optimization can use across all concurrent download activities. 

A value of 0 means an automatic and dynamic adjustment.

Max Foreground Download Bandwidth (percentage)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1803

Configures the maximum foreground download bandwidth percentage that Delivery Optimization can use across all concurrent download activities. 

Downloads from LAN peers will will not be restricted with this settings

A value of 0 means an automatic and dynamic adjustment.

Select a Method to Restrict Peer Selection
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • None (Default)
  • Subnet Mask
  • 1803
Configure this policy to restrict peer selections via Subnet Mask. Subnet mask applies to both Download Modes via LAN and Group.
Desktop
Prevent User Redirection of Profile Folders
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  Users can change by default the location of their individual profile folder like Pictures and Documents etc. by changing the path in the Locations section of the folders properties box. With this setting it is possible to prevent users from redirecting profile folders. 
Device Guard    
Configure the Launch of System Guard
  • Windows 10 Enterprise
  • Windows 10 Education
  • Unmanaged (Default) 
  • Enables Secure Launch 
  • Disables Secure Launch
  • 1809

Allows to configure the launch of System Guard. For more information about System Guard, please refer to 

Enabling Secure Launch requires are supported hardware. 

Turn On Virtualization Based Security
  • Windows 10 Enterprise
  • Windows 10 Education
  • Disable (Default) 
  • Enable 
  • 1709
If enabled it turns on the virtualization based security (VBS) at the next reboot of the device. VBS uses the Windows Hypervisor to provide support for security devices. 
Turn On Credential Guard With Virtualization-Based Security
  • Windows 10 Enterprise
  • Windows 10 Education
  • Disabled (Default) 
  • Enabled with lock
  • Enabled without lock
  • 1709

Configures the usage of Credential Guard and the option to change the setting for the user.  Credential Guard with virtualization-based security helps to protect credentials and changes will be applied after the next reboot

  • Disabled -  Turns off Credential Guard remotely if configured previously without UEFI Lock.
  • Enabled with lock - Turns on Credential Guard with UEFI lock.
  • Enabled without lock - Turns on Credential Guard without UEFI lock.
Configure Platform Security Features
  • Windows 10 Enterprise
  • Windows 10 Education
  • Turn on VBS with Secure Boot (Default)
  • Turn on VBS with Secure Boot and DMA 
  • 1709

Allows to specify the platform security level beginning with the next reboot. 

DMA requires hardware support. 

Device Health Monitoring    
Allow Device Health Monitoring
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1903
Defines whether the Device Health Monitoring connection is enabled or disabled.  Device Health Monitoring is an opt-in health monitoring connection between the device and Microsoft. Please enable this settings only if you a using a Microsoft device monitoring service which requires it. 
Device Lock
Prevent Lock Screen Slide Show
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  Disables the lock screen slide show settings in the Settings App and prevents a slide show from playing on the lock screen. If disabled or not configured, users can enable and modify slide show settings. 
Display    
Configure Per-Process System DPI Settings
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1803
 
DMA Guard    
Enumeration Policy for External Devices Incompatible With Kernel DMA Protection
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Only after log in/screen unlock
  • Block All
  • Show All
  • 1809

This setting provides additional security again external DMA capable devices. 

  • Only after log in/screen unlock (Default) - Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen
  • Block All - Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will never be allowed to start and perform DMA at any time.
  • Show all:  All external DMA capable PCIe devices will be enumerated at any time
Event Log Service
Allow Adding Events When Log File Reaches Maximum Size
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  This restriction controls the Event Log behavior when the log file(s) reaches the maximum size. In a not configured state log files will overwrite old events if the log file reaches the maximum size. In an enabled state, new events will not be written into the log and are lost. 
Max Application Log File Size (KB)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 20480
  Defines the maximum log file size in KB for Application Logs. Supported values are from 1024 (1MB) to 2147483647 (2 TB). The default value is 20480 KB (20MB)
Max Security Log File Size (KB)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 20480
  Defines the maximum log file size in KB for Security Logs. Supported values are from 1024 (1MB) to 2147483647 (2 TB). The default value is 20480 KB (20MB)
Max System Log File Size (KB)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 20480
  Defines the maximum log file size in KB for System Logs. Supported values are from 1024 (1MB) to 2147483647 (2 TB). The default value is 20480 KB (20MB)
Experience    
Allow Cortana
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  Allows or disallows Cortana on the device. 
Allow Manual MDM Unenrollment
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  Specifies if the user is able to delete the workplace account on the device or if it will be only possible to delete the profile remotely through the Management Console
Allow Sync My Settings
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  Controls whether Windows sync settings on the device are allowed or not. Please review the following article "About sync settings on Windows 10 devices" to get an overview what settings are synchronized. 
File Explorer
Turn Off Data Execution Prevention for Explorer
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  If enabled, data execution prevention can allow certain legacy plug-in applications to function without terminating the Explorer.
Turn Off Heap Termination on Corruption
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  If enabled, heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.
Games
Allow Advanced Gaming Services
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1709
Specifies if advanced gaming services can be used on the device. Advanced gaming services may send data to Microsoft or games publishers that use these services. 
Handwriting
Handwriting Panel Default Mode
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Floating
  • Docked
  • 1709

Defines the default mode for the handwriting panel. 

  • Floating - The content is hidden behind a flying-in panel 
  • Docked - The flying-in panel is fixed to the button of the screen. 
Lock Down
Allow Edge Swipe
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • 1607
This setting controls if a user is able to invoke the system user interface by swiping in from any screen edge using touch. 
Maps
Allows Auto-Update Over Metered Connection
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1607
Controls whether the download and update of map data over metered connection is forced to disabled or forced to enabled.
Turn Off Automatic Download and Update of Map Data
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1607
Controls whether the automatic download and update of map data is forced off (disabled) or forced on (enabled).
Messaging
Allow Message Sync
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1607
Allows or disallows users to backup and restore text messages and use Messaging Everywhere. Disabling this policies will avoid that information are stored on non-organization cloud servers. If disabled, message sync is not allowed and can't be changed by the user. 
Notifications
Turn Off Notification Network Usage
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1803

This restriction block applications from using the network to send tile, badge, toasts and raw notifications. 

We highly recommend to not enable this restriction. It might cause issue in the device communication with the backend server. 

Turn Off Notification Mirroring
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1607
If enabled, application and system notifications will not be mirrored to other user devices. 
Turn Off Tile Notification
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1803
If enabled, applications and system features will not be able to update their tiles and badges in the start screen. 
Security    
Allow Add Provisioning Package
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  Configures if the runtime configuration agent is allowed to install provisioning packages.
Allow Remove Provisioning Package
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  Specifies if the runtime configuration agent is allowed to remove provisioning packages.
Require Provisioning Package Signature
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • No Require Authentication
  Requires provisioning package are certificate signed by a device trusted authority.
Configure The System To Clear The TPM If It Is Not In a Ready State
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Will not force recovery from TPM (default)
  • Will prompt to clear TPM
  • 1709

This setting will either not force recovery from a non-ready TPM state or will prompt to clear the TPM if the TPM is i a not ready state which can be remediated with a cleared TPM.

The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart. Admin access is required.

Recovery Environment Authentication
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Default (Default)
  • Require Authentication
  • No Required Authentication
  • 1809
This settings allows to control the Admin Authentication in the Recovery Environment. Please find  here additional validation procedure information 
Settings    
Allow Auto Play
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Allows or disallows the user to change Auto Play settings. Disabling does not affect the autoplay dialog box that appears when a device is connected
Allow Data Sense
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Configure whether the user is allowed or not allowed to change Data Sense settings.
Allow Date Time
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Allows or disallows the user to change date and time settings.
Allow Language
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Configures whether the user is allowed or not allowed to change the language settings
Allow Online Tips
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1709
Allows or disallows retrieving online tips and help for the Settings app. If disabled, Settings App will stop contacting Microsoft content services. 
Allow Power Sleep
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Configures whether the user is allowed to change power and sleep settings.
Allow Region
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Allows or disallows the user to change region settings. 
Allow Sign In Options
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Prevents the user from changing Sign In options.
Allow VPN
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Configures whether the user is allowed to change VPN settings. 
Allow Workplace
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Allows or disallows the user to change workplace settings. 
Allow Your Account
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Prevents the user from changing settings in the Your Info  are in settings app
Show additional Calendar
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Allowed (Default)
  • Don't show additional calendars
  • Simplified Chinese (Lunar)
  • Traditional Chinese (Lunar)
  • 1703
Allows to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout
Speech
Allow Automatic Update of Speech Data
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1607
Specifies if devices will periodically check and receive updates to the speech recognition and synthesis models and download them from the Microsoft service using the Background Internet Transfer Service (BITS). 
Task Manager
Allow Use Task Manager to End Tasks
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1809
Controls if non-administrators can utilize the Task Manager to end tasks. 
Troubleshooting
Troubleshooting Recommendations
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled but apply critical troubleshooting 
  • Notify when is available and allow to run it
  • Run automatically with notifying
  • Run automatically without notifying
  • Allow the user to choose settings 
  • 1903
Allows to configure how to apply recommended troubleshooting for known problems on devices. 
WiFi    
Allow Auto Connect to WiFi Sense Hotspots
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Configures whether the device is allowed or not to automatically connect to Wi-Fi hotspots
Allow Manual WiFi Configuration
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1607
Allows or disallows connecting to Wi-Fi outside of managed Wi-Fi Profiles. Disabling this setting will delete any previously installed user's profiles from the devices. 
Allow WiFi
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1607
Configures if WiFi connections are allowed or not. 
Allow WiFi Direct
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
Specifies if WiFi Direct connections are allowed or prohibited. 
WLAN Scan Mode
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • From 0 to 500
 

Allows to control the WLAN scanning bhehavior and how aggressively devices should be actively scanning for Wi-Fi networks. 

  • 100 = normal scan frequency
  • 500 = low scan frequency
Windows PowerShell
Allow PowerShell Script Logging
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  Enables logging of all PowerShell script input in the Microsoft-Windows-Powershell/Operational event log. PowerShell will log,  whether invoked interactively or through automation,the processing of commands, script blocks, functions and scripts.
Log Script Block Invocation Start/Stop Events
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or disabled
 

With enabled Log Script Block Invocation Start/Stop Events , PowerShell additionally logs when invocation of a command, script block, function, or script starts or stops.

Enabling Invocation Logging generates a high volume of event logs. 

Windows 10 Mobile Restrictions 

Setting Windows 10 Mobile
Allow App Store Enabled or Disabled
Allow Camera Enabled or Disabled
Allow WiFi Enabled or Disabled
Allow Bluetooth Enabled or Disabled
Allow Storage Card Enabled or Disabled
Force Storage Encryption Enabled or Disabled
Allow Browser Enabled or Disabled
Allow NFC Enabled or Disabled
Allow Internet Sharing Enabled or Disabled
Allow Auto Connect to WiFi Sense Hotspots Enabled or Disabled
Allow WiFi HotSpot Reporting Enabled or Disabled
Allow Manual WiFi Configuration Enabled or Disabled
Allow VPN Over Cellular Connection Enabled or Disabled
Allow VPN Roaming Over Cellular Connection Enabled or Disabled
Allow the Device to Send Telemetry Information Enabled or Disabled
Allow Microsoft Account for Non Email Related Services Enabled or Disabled
Allow User to Add Non-Microsoft Accounts manually Enabled or Disabled
Allow Manual Root and CA Certificate Installation Enabled or Disabled
Allow Developer Unlock Enabled or Disabled
Allow Location Service Enabled or Disabled
Allow USB Connection Enabled or Disabled
Allow Cellular Data Roaming Enabled or Disabled
Allow Search to Use Location Enabled or Disabled
Force Strict Safe Search Results Enabled or Disabled
Allow Storing Images From Vision Search Enabled or Disabled
Allow Save As Of Office Files Enabled or Disabled
Allow Action Center Notifications Enabled or Disabled
Allow Sync My Settings Enabled or Disabled
Allow User to Reset Phone Enabled or Disabled
Allow Manual MDM Unenrollment Enabled or Disabled
Allow Screen Capture Enabled or Disabled
Allow Cortana Enabled or Disabled
Allow Sharing Of Office Files Enabled or Disabled
Allow Copy Paste Enabled or Disabled
Allow Voice Recording Enabled or Disabled

Virtual Private Network

The VPN section is for convenience divided into Windows 10 and Windows 10 Mobile. 

Windows 10  

Setting Values
VPN Provider Windows (built-in)
Connection Name

e.g. Imagoverum VPN

Server name or address e.g vpn.imagoverum.com
VPN Type
  • Automatic
  • Point to Point Tunneling Protocol (PPTP)
  • L2TP/IPsec with certificate
  • L2TP/Ipsec with pre-shared key
  • Secure Socket Tunneling Protocol (SSTP)
  • IKEv2
Pre-Shared Key: e.g. Pa$$w0rd

Windows 10 Mobile

General VPN settings for Windows 10 Mobile

Setting Values Description
VPN Settings Enabled or Disabled Enables and Disables VPN for the Tag
VPN Type
  • Juniper Junos Pulse
  • F5 Big-IP Edge Client
  • Checkpoint Mobile VPN
  • IKE v2
Determines which VPN client will be used.
Profile Name e.g. Imagoverum VPN Name of the VPN Profile visible to the user on the device
Server Address e.g. vpn.imagoverum.com Network Address of the VPN Service
Primary DNS Suffix e.g.  imagoverum.com Primary DNS Suffix for connection
Juniper Junos Pulse
Setting Values Description
Authentication EAP Limited to EAP
Use Custom EAP Thumbprint Enabled or Disabled Allows the definition of a custom EAP thumbprint
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Dns Suffix Search List e.g imagoverum.com The list of DNS suffixes to try for non-qualified server name resolution. Wild cards * are not accepted
F5 Big-IP Edge Client
Setting Values Description
Prompt for credentials Enabled or Disabled Enables the prompt for credentials
Authentication EAP Limited to EAP
Use Custom EAP Thumbprint Enabled or Disabled Allows the definition of a custom EAP thumbprint
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Application Select Select applications from the drop down list
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Checkpoint Mobile VPN
Setting Values Description
Authentication EAP Limited to EAP
Use Custom EAP Thumbprint Enabled or Disabled Allows the definition of a custom EAP thumbprint
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Dns Suffix Search List e.g imagoverum.com The list of DNS suffixes to try for non-qualified server name resolution. Wild cards * are not accepted
IKE v2
Setting Values Description
Enable Proxy Enabled or Disabled Enable or disable a proxy for the VPN
Bypass Proxy for local addresses Enabled or Disabled If enabled, the device will not use the proxy for addresses local to the device’s network
Proxy Server e.g. proxy.imagoverum.com Address of the proxy server
Proxy Port e.g. 8080 The port the proxy server is listening on
Network Allowed List e.g. 172.16.0.0/16 CIDR ranges of IP Addresses that will be protected by the VPN connection.
Namespace Allowed List  e.g. *imagoverum.com The list of domain zones protected by the VPN connection.
Dns Suffix Search List e.g imagoverum.com The list of DNS suffixes to try for non-qualified server name resolution. Wild cards * are not accepted

Private APN

If you have a Private Access Point Name (APN) for your SIM Cards, then Silverback has the ability to configure this for you on the managed devices.

Setting Windows 10 Windows 10 Mobile Description
Private APN Settings not available Enabled or Disabled Enables the Private APN Feature on Selected Devices.
Name not available e.g. VFD2 Web The name of the carrier access point
Username not available e.g. User The username to connect to the access point
Password not available e.g. Pa$$w0rd The password to connect to the access point
Server not available e.g web.vodafone.com The fully qualified address of the proxy server
Type not available
  • IPv4v6
  • IPv4v6xlat
  • IPv6
  • IPv4
APN Type
Auth Type not available
  • None
  • PAP
  • CHAP
  • MSCHAPv2
  • Auto
APN Auth Type

Wi-Fi 

Silverback has the ability to pre-populate multiple Wi-Fi settings on your devices, so the user does not need to know the password for these networks themselves.

  • Click New WiFi profile
Setting Windows 10 Windows 10 Mobile Description
Wi-Fi Settings Enabled or Disabled Enabled or Disabled Enables the sending of Wi-Fi settings
SSID e.g. Corporate Wi-Fi e.g. Corporate Wi-Fi Service Set Identifier of the wireless network
Security Type
  • None
  • WEP
  • WPA 2
  • WPA 2 Enterprise
  • WPA 2
  • WPA 2 Enterprise
Defines the used Wireless network security
Encryption Type
  • AES
  • TKIP
  • AES
  • TKIP
Defines the used Wireless network encryption
Hidden Network Enabled or Disabled Enabled or Disabled Enable if the target network is not open or hidden
Automatically Join Enabled or Disabled Enabled or Disabled The device will automatically join the Wi-Fi network
Password e.g. Pa$$w0rd e.g. Pa$$w0rd Password for authenticating to the wireless network
Specify Trust (WPA 2 Enterprise only)
Use issuing CA Thumbprint Enabled or Disabled Enabled or Disabled  
Specify intermediate Trust
  • Upload Root Certificate
  • Upload Intermediate Certificates
  • Remove Intermediate Certificates
  • Upload Root Certificate
  • Upload Intermediate Certificates
  • Remove Intermediate Certificates
 
Proxy (Windows 10 Mobile only)
Proxy PAC Url not available e.g. http://proxy.imagoverum.de/proxy.pac Defines the URL where the PAC file is located
Enabled Proxy not available Enabled or Disabled Defines the usage of proxy
Server not available e.g. 192.168.0.254 Defines the proxy server
Port not available e.g. 8080 Defines the used proxy port

Wallpaper

Wallpaper for Lock Screen and Home Screen are available for Windows 10 Enterprise Devices. After applied settings the devices needs a reboot before Wallpaper setting will take effect. Supported file types are *.jpg, *.jpeg and *.png

Setting Windows 10 Windows 10 Mobile Description
Lock Screen URL enabled Enabled or Disabled not available Enables the wallpaper for Lock Screen
Lock Screen URL e.g. https://imagoverum.com/Lockscreen.png not available Defines the URL where the wallpaper file is located
Home Screen URL enabled Enabled or Disabled not available Enables the wallpaper for Home Screen
Home Screen URL e.g. https://imagoverum.com/Wallpaper.png not available Defines the URL where the wallpaper file is located

BitLocker

BitLocker Drive Encryption is an built-in solution on Windows 10 for data protection that addresses the threats of data thefts. BitLocker provides it's best protection when using it in combination with a Trusted Platform Module (TPM) version 1.2. or later. The Trusted Platform Mobile is a hardware component included in many of newer computers. In combination with BitLocker it helps to protect user data and ensures that a customer has not been manipulated while the system was offline.  In a nutshell BitLocker will encrypt the Windows operating system drive.  Available for Windows 10 Pro (from version 1809), Enterprise and Education (from version 1703) 

Setting Windows 10  Windows 10 Mobile Description
BitLocker Settings Enabled or Disabled not available Enables the BitLocker Settings.
BitLocker base settings  

Enabled or Disabled not available Allows to require encryption to be turned on by using BitLocker.

Enabled or Disabled not available Allows to disable the warning prompt for other disk encryption on the user machines. Starting in Windows 10, version 1803, the setting can only be disabled for Azure Active Directory joined devices. 

When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.

The endpoint for a fixed data drive's backup is chosen in the following order:

  1. The user's Windows Server Active Directory Domain Services account.
  2. The user's Azure Active Directory account.
  3. The user's personal OneDrive (MDM/MAM only).

Encryption will wait until one of these three locations backs up successfully.

Enabled or Disabled not available Allows users without Administrative rights to enable BitLocker encryption on the device. This setting applies to Azure Active Directory Joined devices. 

  • Not configured
  • On
  • Off
not available Allows to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.

  • AES-CBC 128
  • AES-CBC 256
  • XTS-AES 128 (recommended)
  • XTS-AES 256 (recommended)
not available This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

  • AES-CBC 128
  • AES-CBC 256
  • XTS-AES 128 (recommended)
  • XTS-AES 256 (recommended)
not available This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

  • AES-CBC 128 (recommended)
  • AES-CBC 256 (recommended)
  • XTS-AES 128
  • XTS-AES 256
not available This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
BitLocker OS drive settings  

  • Not configured
  • On
  • Off
not available This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.

Enabled or Disabled not available Block the use of BitLocker on computers without a compatible Trusted Platform Module. Requires a password for a startup key on a USB flash drive. 

  • Allow
  • Do not allow
  • Required
not available Configure if TPM is allowed, required or not allowed for startup

  • Allow
  • Do not allow
  • Required
not available Configure if a TPM startup key is allowed, required or not allowed for startup

  • Allow
  • Do not allow
  • Required
not available Configure if a TPM startup PIN is allowed, required or not allowed for startup

  • Allow
  • Do not allow
  • Required
not available Configure if a TPM Startup key and PIN is allowed, required or not allowed for startup.

  • Not configured
  • On
  • Off
not available This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker.

e.g. 20 not available The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.

  • Not configured
  • On
  • Off
not available This setting allows to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when turning on BitLocker.

Enabled or Disabled not available Specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

  • Allow 48-digit recovery password
  • Do not allow 48-digit recovery password
  • Require 48-digit recovery password
not available Set whether users are allowed, required, or not allowed to generate a 48-digit recovery password

  • Allow 256-bit recovery key
  • Do not allow 256-bit recovery key
  • Require 256-bit recovery key
not available Set whether users are allowed, required, or not allowed to generate a 256-bit recovery key.

Enabled or Disabled not available Prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that a user will not be able to specify which recovery option to use when turning on BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy.

Enabled or Disabled not available Enable BitLocker recovery information to be stored in AD DS

  • Backup recovery password and key package
  • Backup recovery password only
not available Choose which BitLocker recovery information to store in AD DS for fixed data drives. If Backup recovery password and key package selected, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If Backup recovery password only selected only the recovery password is stored in AD DS.

Enabled or Disabled not available Prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. In this case a recovery password is automatically generated.

  • Not configured
  • On
  • Off
not available This setting allows to configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked.

  • Use empty recovery key message and URL
  • Use default recovery key message and URL
  • Use custom recovery message
  • Use custom recovery URL

 

not available

Use default recovery message and URL:  The default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "to Use default recovery message and URL.

Use custom recovery message. The message you set will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.

Use custom recovery URL: The URL you type in will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.

BitLocker fixed data-drive settings 

  • Not configured
  • On
  • Off
not available

This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.

If this setting is enabled, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

  • Not configured
  • On
  • Off
not available This setting allows to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when turning on BitLocker.

Enabled or Disabled not available Specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

  • Allow 48-digit recovery password
  • Do not allow 48-digit recovery password
  • Require 48-digit recovery password
not available Set whether users are allowed, required, or not allowed to generate a 48-digit recovery password

  • Allow 256-bit recovery key
  • Do not allow 256-bit recovery key
  • Require 256-bit recovery key
not available Set whether users are allowed, required, or not allowed to generate a 256-bit recovery key.

Enabled or Disabled not available Prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that a user will not be able to specify which recovery option to use when turning on BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy.

  • Backup recovery password and key package
  • Backup recovery password only
not available Choose which BitLocker recovery information to store in AD DS for fixed data drives. If the Backup recovery password and key package are selected, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If Backup recovery password only is selected, only the recovery password is stored in AD DS.

Enabled or Disabled not available Prevent users from enabling BitLocker unless the computer successfully backs up the BitLocker recovery information to Azure Active Directory. Selecting Enanled will ensure the recovery keys are successfully stored in Azure Active Directory before enabling encryption. By selecting disabled, a device may become encrypted without recovery information stored in Azure Active Directory
BitLocker removable data-drive settings  

  • Not configured
  • On
  • Off
not available Determine whether BitLocker protection is required for removable data-drives to be writable on a computer

Enabled or Disabled not available Determine if removable data-drives configured by an external organization can be written to

Windows Hello

Windows Hello is a biometric framework built into Windows 10 that uses facial recognition, fingerprint identification, or iris scans as login methods.  Windows Hello is closely related to Microsoft Passport, which is responsible for the underlying encryption and authentication mechanism and helps to secure the communications and identities. 

Setting Windows 10 Windows 10 Mobile Description
Windows Hello Settings Enabled or Disabled not available Activates Windows Hello Settings
Require Security Device Enabled or Disabled not available Defines if a Trusted Platform Module (TPM) is required. If it is set to Disabled it will use the preferred mode. Devices attempt to use a TPM, but if not available will provision using software 
Minimum PIN Length 4-127 not available Defines the Minimum PIN length 
Maximum PIN Length 8-127 not available Defines the Maximum PIN length
Upper Case Letters Allow, Require or Not allow  not available Define if Upper Case Letters are allowed, mandatory or prohibited
Lower Case Letters Allow, Require or Not allow  not available Define if Lower Case Letters are allowed, mandatory or prohibited
Special Characters Allow, Require or Not allow  not available Define if Special Characters are allowed, mandatory or prohibited
Digits Allow, Require or Not allow  not available Define if Digits are allowed, mandatory or prohibited
History 0-50 not available Defines, how many previous PINs can't be used. Default Value is 0, which means History is not activated 
Expiration 0-730  not available Defines the timeframe, when users will be forced to change the PIN. If set to 0, the PIN will never expire
Use Remote Passport Enabled or Disabled not available Windows Hello provides the ability for portable, registered device to be usable as a companion device for desktop authentication
Use Biometrics Enabled or Disabled not available Enable or disable the use of biometric gestures, such as facial recognition, fingerprint identification, or iris scan

Certificate Trusts

For Windows 10 and Windows 10 Mobile devices, arbitrary certificate trusts can be defined. These certificates will be deployed to the root or intermediate trust stores on the devices.

Setting Windows 10 Windows 10 Mobile Description
Certificate Settings   Enabled or Disabled Enabled or Disabled Enables Certificate Settings in this Tag
Add Root Certificate Choose File Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd Defines Password for Root Certificate
Root Certificates e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details
Add Root Certificate Choose File Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd Defines Password for Root Certificate
Intermediate Certificates e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details

Certificate

In this section you can distribute certificates to Windows 10 and Windows 10 Mobile devices. Depending on your configured Certificate Deployment Method you will see different views and settings. 

Enterprise Certificate

Setting Windows 10 Windows 10 Mobile Description
Certificate Settings   Enabled or Disabled Enabled or Disabled Enables Certificate Settings in this Tag
New Certificate Choose File Choose File Use the Button to Upload your Enterprise Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd Enter here the certificate password

Individual Client

Setting Windows 10 Windows 10 Mobile Description
Certificate Settings   Enabled or Disabled Enabled or Disabled Enables Certificate Settings in this Tag
Template Name e.g. Silverback User e.g. Silverback User Defines the Template created on the Certification Authority. Please Refer to: Certification Authority Integration  Guide for Certificate Based Authentication
Use Custom Subject Name Variable e.g. u_{firstname}.{lastname} e.g. u_{firstname}.{lastname} Defines a custom subject name (Issued to) for requested certificates .  Please refer to: Certification Authority Integration  Guide for Certificate Based Authentication
Use Custom UPN SAN Variable e.g. {UserName} e.g. {UserName} Defines a custom UPN SAN Variable (Principal Name) for requested certificates. Please Refer to: Certification Authority Integration  Guide for Certificate Based Authentication
Use Custom RFC 822 SAN Variable e.g. {SerialNumber}  e.g. {SerialNumber}  Defines a custom RFC822 Subject Alternative name. Please refer to: Certification Authority Integration  Guide for Certificate Based Authentication

Windows Update

With the configuration of Windows 10 you will gain control over how and when updates will be installed and which servicing channel will be used.

Setting Windows 10 Windows 10 Mobile Description
Windows Update Policy Settings Enabled or Disabled not available Enables the Windows Update Settings.

 

  • Notify the user before downloading the update
  • Auto install the update and then notify the user to schedule a device restart
  • Auto install and restart (default)
  • Auto install and restart at a specified time
  • Auto install and restart without end-user control
  • Turn off automatic updates
not available

Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.

Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.

Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.

Auto install and restart at a specified time. Specify  the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.

Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.

Turn off automatic updates.

 

  • Windows Insider build - Fast
  • Windows Insider build - Slow
  • Release Windows Insider Build
  • Semi-annual Channel (default)
  • Semi-annual Channel (only applicable to releases prior to 1903)

 

not available Allows to set which branch a device receives their updates from. Requires Windows 10 Version 1607.

 

e.g. 15 not available Defers Quality Updates for the specified number of days. Supported Values are 0-365. Requires Windows 10 Version 1607.

 

e.g. 90 not available Defers Feature Updates for the specified number of days. Supported Values are 0-365. Requires Windows 10 Version 1703.

 

2-60 days not available Enables to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. Requires Windows 10 Version 1803.

 

  • Every day (default)
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
not available Option to schedule the day of the update installation.

 

e.g. 08 AM not available

Allows, when used with Active Hours End to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. Requires Windows 10 Version 1607.

The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. Please refer to Active Hours Max Range 

 

e.g. 05 PM not available Added in Windows 10, version 1607. Allows, when used with Active Hours Start to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. Requires Windows 10 Version 1607.

 

e.g.  12 not available

Allows to specify the period for auto-restart warning reminder notifications. Supported values are 2, 4, 8, 12, or 24 (hours). The default value is 4 (hours). Requires Windows 10 Version 1703.

 

e.g. 60 not available

Allows  to specify the period for auto-restart imminent warning notifications. The default value is 15 (minutes). Supported values are 15, 30, or 60 (minutes). Requires Windows 10 Version 1703.

 

  • Use the default Windows Update notifications (default)
  • Turn off all notifications, excluding restart warnings
  • Turn off all notifications, including restart warnings
not available Display options for update notifications. This policy allows to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed.

 

e.g. 90 not available

Allows to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.

Supported Values are 2 - 30 (Default = 7), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. 

Requires Windows 10 Version 1903.

 

e.g. 5 not available

Allows to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.

Supports values  from 2 - 30 (Default =7), which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. 

Requires Windows 10 Version 1903.

 

e.g. 1 not available

Allows, when used with Deadline for feature updates or Deadline for quality updates to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.

Supports a numeric value from 0 - 7 (Default =2), which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once the deadline has been reached.

Requires Windows 10 Version 1903.

 

Enabled or Disabled not available

Option to download updates automatically over metered connections (off by default). 

A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.

This policy is accessible through the Update setting in the user interface or Group Policy. 

Requires Windows 10 Version 1709.

 

Enabled or Disabled not available

Allows to exclude Windows Update (WU) drivers during updates. 

Requires Windows 10 Version 1607.

Enabled or Disabled not available

If enabled and when used with Deadline for feature or quality updates, devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.

When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. 

Requires Windows 10 Version 1903.

Target release version e.g. 1903 not available

Allows to specify which version devices should be migrated to and/or which version they should keep until they reach the end of service or the policy is reconfigured. 

Requires Windows 10 Version 1803

Update service url e.g. http://wsus.imagoverum.com:8530 not available Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
Update service url alternate e.g. http://alternate.imagoverum.com:8530 not available

Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.

Requires Windows 10 Version 1607

Allow non-Microsoft signed updates Enabled or Disabled not available This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location
Disable dual scan Enabled or Disabled not available Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
Allow MU update service Enabled or Disabled not available Allows to manage whether to scan for app updates from Microsoft Update.
Update Power Policy for Cart Restarts Enabled or Disabled not available

For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at Scheduled Install Time When you set this policy along with Active hours start, Active hours end and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after Active hours end, the device will wake up several times to complete the processes. All processes are blocked before Active hours start.

Requires Windows 10 Version 1703

Delivery Optimization

Windows Updates or Upgrades may contain packages with very large files. Delivery Optimization can be utilized to reduce bandwidth consumption by sharing the work of downloading files among multiple devices. Delivery Optimization is a self-organized distributed cache that allows your clients to download the packages from alternate sources in additional internet located servers. 

For additional information, please refer to  Delivery Optimization for Windows 10 updates

Setting Availability Options Requirement Description
Enable Peer Caching While the Device Connects Via VPN
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
Controls if the device is allowed to participate in Peer Caching while connected via VPN to the domain network. 
Absolute Max Cache Size (in GB)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 10
  • 1607
Configures the maximum cache size in GB. A value of zero means unlimited cache. The cache will be cleared if the device is running low in disk space. 
Delay Background Download From Http (in secs)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1803

Allows to delay the use of an HTTP source in a background download that is allowed for peer-to-peer. After the maximum delay is reached, download(s) will resume with HTTP. A download that is waiting for peer source will appear to be stuck for the device user. 

Recommended value is 3600 (1 h)

Delay Background Download Cache Server Fallback (in secs)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1903
Configures the time in seconds to delay the fallback from a Cache Server to the HTTP source for a background content download. 
Delay Foreground download Cache Server Fallback (in secs)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1903

Configures the time in seconds to delay the fallback from a Cache Server to the HTTP source for a foreground content download. 

Delay Foreground Download From Http (in secs) takes precedence to allow download downloads from peers first

Delay Foreground Download From Http (in secs)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1803

Allows to delay the use of an HTTP source in a foreground (interactive) download that is allowed for peer-to-peer. After the maximum delay is reached, download(s) will resume with HTTP. A download that is waiting for peer source will appear to be stuck for the device user. 

Recommended value is 60 (1 Minute). Default value 0 means this setting is managed by the cloud service

Download Mode
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • HTTP blended with peering behind the same NAT (Default)
  • HTTP only
  • The HTTP blended with peering across a private group 
  • HTTP blended  with Internet peering
  • Simple download mode with no peering
  • Bypass mode
  With this setting it is possible to control the download method that Delivery Optimization can use for downloads of Windows Updates, Apps and App updates. 
Select the Source of Group IDs
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • None (Default)
  • AD Site
  • Authenticated domain SID
  • DHCP user option
  • DNS suffix
  Restricts the peer selection to a specific source
Max Cache Age (in secs)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 2592000
 

Controls the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully.

A value of 0 means unlimited . The default value is 259200 which is equal to 3 days. 

Max Cache Size (percentage)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 20
  Controls the maximum percentage of the disk size (1-100) that Delivery Optimization can utilize. 
Max Download Bandwidth (in KB/s)  
  • e.g. 0
 

This setting is deprecated. Use Max Foreground and Background  Download Bandwidth instead. 

Max Upload Bandwidth (in KB/s)  
  • e.g. 0
 

This setting is deprecated. There is no alternate policy available

Min Background QoS (in KB/s)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 500
  • 1607

Defines the minimum download Quality of Service or speed in kb/s. for background downloads. 

Default value is 500

Allow Uploads While the Device Is on Battery (percentage)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1703

Defines the percentage of battery usage to allow the device to upload data to peers while running on battery. Any upload will automatically pause when the battery level falls below that threshold. 

Recommended value is 40. The default values is 0 and means not limited. 

 

Min Disk Size Allowed to Use Peer Caching (in GB)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 32
  • 1703

Configures the required minimum disk size in GB for the device to use Peer Caching. 

Recommended values are 64  to 256 GB. The default value is 32 GB

Min Peer Caching Content File Size (in MB)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 100
  • 1703

Specifies the minimum content file size in MB to use Peer Caching. 

Default value is 100 (MB)

Min RAM Capacity Required to Enable Use of Peer Caching (in GB)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 4
  • 1703

Specifies the minimum RAM  size in GB to use Peer Caching. 

Default value is 4 (GB)

Monthly Upload Data Cap (in GB)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 20
  • 1607

Specifies the maximum total data in GB that Delivery Optimization is allowed to upload to internet peers per calendar month.

Default values is 20. A value of 0 means unlimited

Max Background Download Bandwidth (percentage)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1803

Configures the maximum background download bandwidth percentage that Delivery Optimization can use across all concurrent download activities. 

A value of 0 means an automatic and dynamic adjustment.

Max Foreground Download Bandwidth (percentage)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • e.g. 0
  • 1803

Configures the maximum foreground download bandwidth percentage that Delivery Optimization can use across all concurrent download activities. 

Downloads from LAN peers will will not be restricted with this settings

A value of 0 means an automatic and dynamic adjustment.

Select a Method to Restrict Peer Selection
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • None (Default)
  • Subnet Mask
  • 1803
Configure this policy to restrict peer selections via Subnet Mask. Subnet mask applies to both Download Modes via LAN and Group.

Defender Firewall

The Firewall configuration allows to control the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. You can manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. The Firewall configuration is supported beginning with Windows 10, version 1709.

Settings Windows 10 Windows 10 Mobile Description
Defender Firewall Settings Enabled or Disabled not available Enables the Defender Firewall Profile
Global Settings
Security Association Idle Time Before Deletion (in secs) 

e.g. 400

not available Security associations are deleted after network traffic is not seen for this number of seconds. Supported Values from 300 to 3600
Pre-shared Key Encoding 
  • None
  • UTF-8 (default)
not available Specifies the preshared key encoding that is used
IPsec Exemptions 
  • No IPsec exemptions (default)
  • Exempt neighbor discover IPv6 type-codes from IP-Sec
  • Exempt ICMP from IPsec
  • Exempt router discover IPv6 ICMP type-codes from IPsec
  • Exempt both IPv4 and IPv6 DHCP traffic from IPsec
not available Configure specific traffic to be exempt from performing IPsec.
Certificate Revocation List Verification 
  • Disables CRL checking (default)
  • CRL checking is attempted
  • CRL checking is required
not available

Defines how certificate revocation list verification is enforced. The following options are available:

  • Disables CRL checking
  • CRL Checking is attempted specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.
  • CRL checking is required means that checking is required and that certificate validation fails if any error is encountered during CRL processing
Packet Queuing 
  • All queuing is to be disabled (default)
  • Inbound encrypted packets are to be queued
  • Packets are to be queued after decryption
not available

Specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved.

Disable FTP Enabled or Disabled not available Blocks stateful File Transfer Protocol (FTP)
Opportunistically Match Authentication Set Per Keying Module Enabled or Disabled not available If enabled, keying modules will ignore unsupported authentication suites.
Network Settings (applies to Domain, Private, or Public Network)
General  
Microsoft Defender Firewall Enabled or Disabled not available If this setting is not enabled, no network traffic will be blocked regardless of other policy settings
Disable Stealth Mode Enabled or Disabled not available When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific
IPsec Secured Packet Exemption With Stealth Mode Enabled or Disabled not available If stealth mode is enabled, this option will be ignored. Otherwise the stealth mode rules must not prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec
Shielded Enabled or Disabled not available If this value is true and Defender Firewall is on, the server must block all incoming traffic regardless of other policy settings
Disable Unicast Responses to Multicast Broadcasts Enabled or Disabled not available If true, unicast responses to multicast broadcast traffic is blocked.
Disable Inbound Notifications Enabled or Disabled not available If false, the Firewall may display a notification to the user when an application is blocked from listening on a port. If this setting is enabled, the Firewall must not display such notifications. 
Default Action For Outbound Connections
  • Allow (default)
  • Block
not available This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections.
Default Action for Inbound Connections
  • Allow
  • Block (default)
not available This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections.
Rule Merging  
Auth App Firewall Rules From the Local Store Enabled or Disabled not available If this value is false, authorized application firewall rules in the local store are ignored and not enforced
Global Port Firewall Rules From the Local Store Enabled or Disabled not available If this value is false, global port firewall rules in the local store are ignored and not enforced
Firewall Rules From the Local Store Enabled or Disabled not available If this value is false, firewall rules from the local store are ignored and not enforced
IPsec Rules From the Local Store Enabled or Disabled not available If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and security rule version
Firewall Rules Settings
Rule Settings Enabled or Disabled not available

 

Name e.g. Block Paint not available

Name of the rule.

The rule name must not include a forward flash

Description e.g. Firewall Rule for blocking outbound traffic for MS Paint not available Specifies the description of the rule
Direction
  • Not configured
  • Inbound
  • Outbound
not available The rule is enabled based on the traffic direction 
Action
  • Not configured
  • Off
  • On
not available Specifies the action the rule enforces.
Network Type
  • All (default)
  • Domain
  • Private
  • Public
not available Specifies the profiles to which the rule belongs: Domain, Private or Public
Application Settings  
Application
  • All
  • Package Family Name
  • File Path
  • Windows Service
not available Rules that control connections for an app, program, or service
Package Family Name e.g. Microsoft.MSPaint_6.2009.30067.0_x64__8wekyb3d8bbwe not available The Package Family Name is the unique name of a Microsoft Store application. Package family names can be retrieved by running the Get-AppxPackage command from PowerShell
File Path e.g. C:\Apps\Setup.exe not available Enter the full path of the application
Windows Service Name e.g. eventlog not available This is a service named used in cases when a service is sending or receiving traffics
IP Address Settings  
Local Addresses e.g. 10.0.0.50 not available Comma separated list of local addresses covered by the rule. 
Remote Addresses e.g. 88.130.55.97 not available Comma separated list of remote addresses covered by the rule. 
Port and Protocol Settings  
Protocol
  • Any (default)
  • TCP
  • UDP
  • Custom
not available Select the protocol for this port rule. Transport layer protocols, TCP and UDP, allows to specify ports or port ranges. For custom protocols, enter a number between 0 and 255 representing te IP protocol. 
Local Ports (TCP/UDP) e.g. 100-120,200,300-32 not available Comma separated list of ranges.
Remote Ports (TCP/UDP) e.g. 100-120,200,300-32 not available Comma separated list of ranges.
Protocol (Custom) 0-255 not available Enter a number between 0 and 255 representing te IP protocol. 
Advanced Settings  
Interface Types
  • Remote Access
  • Wireless
  • Local Area Network
not available Specifies the interface type to which the rule belongs. 
Authorized Local Users Settings  
Authorized Local Users e.g. "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0) S:(AU;SAFA;WDWOSDWPCCDCSW;;;WD)" not available Specifies the list of authorized local users for this rule. Enter the string in Security Descriptor Definition Language (SDDL) format. 

Defender Antivirus

Microsoft Defender is an anti-malware component of Microsoft Windows. Defender Antivirus monitor threats to your device, run scans, and get updates to help detect the latest threats. 

Setting Availability Windows 10 Requirement Description
Defender AntiVirus Settings
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
Enabled or Disabled   Enables the Defender Antivirus Profile
Real-time Protection
Turn on Real-Time Protection
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  Configuration of the Windows Defender Real-Time Monitoring functionality.
Turn On Behavior Monitoring
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  Configuration of the Windows Defender Behavior Monitoring functionality
Scan All Downloaded Files and Attachments
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  Configuration of Windows Defender IOAVP Protection functionality
Monitor File and Program Activity on Your Computer
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  Configuration of Windows Defender On Access Protection functionality.
Configure Monitoring for Incoming/Outgoing File and Program Activity
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • All Files
  • Incoming Files
  • Outgoing Files
  Controls which sets of files should be monitored.
Intrusion Prevention System
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  Configuration of Windows Defender Intrusion Prevention functionality.
Exploit Guard
Configure Potentially Unwanted Application Protection
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Off
  • On
  • Audit Mode
  Specifies the level of detection for potentially unwanted applications. Windows Defender alerts when potentially unwanted software is being downloaded or attempts to install itself on the device. 
Prevent Users and Apps From Accessing Dangerous Websites
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled (block mode)
  • Enabled (audit mode)
  • 1709
Allows to turn network protection (block/audit) or off. Network protections protects employees using any app from accessing phishing scams exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. 
Scan Interval
Specify the Time for a Daily Quick Scan
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • From 12:00 AM to 11:00 PM
  Selects the time of day that the Windows Defender quick scan should run. The scan type will depend on what scan type is selected in the Scan Type Setting.
Specify the Scan Type to Use for a Scheduled Scan
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Quick Scan 
  • Full Scan
  Selects whether to perform a quick scan or full scan.
Specify the Day of the Week to Run a Scheduled Scan
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Every Day (Default)
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
  Selects the day that the Windows Defender scan should run.
Specify the Time of Day to Run a Scheduled Scan
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • From 12:00 AM to 11:00 PM
  Selects the time of day that the Windows Defender scan should run.
Specify the Interval to Check for Definition Updates
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • No check
  • Check every 1 to 24 hours
  Specifies the interval in hours that will be used to check for signatures, so instead of using the configuration of day and time the check for new signatures will be set according to the interval.
Scan Settings
Check For Signatures Before Running Scan
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  • 1809
Allows to manage whether a check for new virus and spyware definitions will occur before running a scan.
Scan archive files
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  Configuration for scanning of archives.
Scan emails
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  Configuration for scanning of emails.
Run Full Scan on Mapped Network Drives
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  Configuration for a full scan of mapped network drives.
Scan Removable Drives
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  Configuration for a full scan of removable drives. During a quick scan, removable drives may still be scanned.
Scan Network Files
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  Configuration for a scanning of network files.
Turn on Script Scanning
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  Configuration for Windows Defender Script Scanning functionality. 
Disable Catch-up Full Scan
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  • 1809
This policy settings allows to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.  
Disable Catch-up Quick Scan
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  • 1809
Allows to configure catch-up scans for schedule quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. 
Configure Low CPU Priority for Scheduled Scans
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Yes
  • No
  • 1809
This policy setting allows to enable or disable low CPU priority for scheduled scans. 
Specify the Maximum Percentage of CPU Utilization During a Scan
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  This settings allows to configure the average CPU load factor for the Windows Defender scan.
CPU utilization (in percent)
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
0-100%   Represents the average CPU load factor for the Windows Defender scan in percent.
Remediation
Configure Detected Threat Actions
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  Enables the configurations for remediation actions for each threat severity levels.
Low Threat
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Clean
  • Quarantine
  • Remove
  • Allow
  • User defined
  • Block
 

Allows to specify any valid threat severity levels and the corresponding default action to take.

  • Clean - Service tries to recover files and try to disinfect.
  • Quarantine - Moves files to quarantine.
  • Remove - Removes files from system.
  • Allow - Allows file/does none of the above actions.
  • User defined - Requires user to make a decision on which action to take.
  • Block - Blocks file execution.
Moderate Threat
High Threat
Severe Threat
Specify Removal of Items From Quarantine Folders
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  Allows to customize the time period in days that quarantine items will be stored on the system. 
Time period (in days)
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
0-90 days    Time period in days that quarantine items will be stored on the system.
MAPS
Join Microsoft MAPS
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
Enabled or Disabled   Turns on/off the Microsoft Active Protection Service
Send File Samples When Further Analysis Is Required
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Send safe samples automatically (Default)
  • Always prompt
  • Never send
  • Send all samples automatically
  Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, and if the user has specified never to ask, the UI is launched to ask for user consent before sending data.
Malware Protection Engine
Select Cloud Protection Level
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Default
  • High
  • High+
  • Zero
  • 1709
This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. 
Specify Extended Cloud Check
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • 1709
Allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan in the cloud to make sure it's safe.
Cloud check timeout (in seconds)
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
0-60 seconds
  • 1709
Allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan in the cloud to make sure it's safe.
User Experience
Hide Virus & threat protection
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
Enabled or Disabled   Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
Controlled Folder Access
Configure Controlled Folder Access
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled 
  • Enabled
  • Audit Mode
  • 1709
This policy enables setting the state for the controlled folder access feature. The controlled folder access features removes modify and delete permissions from untrusted applications to certain folders such as My Documents
Add an allowed app
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g. C:\Program Files\Matrix42\WriteToMatrix42Folder.exe
  • 1709
Add allowed applications that gain access to protected folders and can make changes without a Windows Defender information 
Add a protected folder
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g. C:\Protected Folder
  • 1709
Add a list of additional folders that needs to be protected.
Scan Exclusions
Add path
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g. C:\Program Files\Internet Explorer   Specify to trust a path that Windows Security has detected as malicious, which will result in a stop for Windows Security from alerting the users or blocking the program.
Add process
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g. C:\Program Files\Internet Explorer\iexplore.exe   Specify to trust a process that Windows Security has detected as malicious, which will result in a stop for Windows Security from alerting the users or blocking the program.
Add file extensions
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g. exe, pdf   Specify to trust a file type that Windows Security has detected as malicious, which will result in a stop for Windows Security from alerting the users or blocking the program.

Defender Security Center  

Windows 10 includes a built-in Windows Security Application, which provides the latest antivirus protection. Devices will be actively protected from the moment when a user starts Windows 10. Windows Security continually scans for malware (malicious software), viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help to keep devices safe and protect it from threats. This security application has several sub settings pages like Virus & Threat Protection, Account Protection etc. and can be usually viewed and configured by users. With the following options the application appearance for managed devices can be configured. 

Setting Availability Options Requirement Description
Microsoft Defender Security Center app and notifications
Defender Security Center
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Enabling this option will grant a customization of Microsoft Defender Security Center settings for managed devices. 
Virus and threat protection
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Hide
  • Show
  • 1709
Configure if users can view the Virus and threat protection area in the Microsoft Defender Security Center. Hiding this section will also block all notifications related to Virus and threat protection
Ransomware data recovery
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Hide
  • Show
  • 1803
Define if users can view the Ransomware data recovery area. Hiding this section will also block all notifications related to Ransomware protection. 
Account protection
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Hide
  • Show
  • 1803
Select whether users can view the Account protection area. Hiding this section will also block all notifications related to Account protection.
Firewall and network protection
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Hide
  • Show
  • 1709
Specify if users can view the Firewall and network protection area. Hiding this section will also block all notifications related to Firewall and network protection.
App and browser Control
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Hide
  • Show
  • 1709
Configure if users can view the App and browser control area. Hiding this section will also block all notifications related to App and browser control.
Exploit protection settings modifying
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disable
  • Enable
  • 1709
Prevents users from making changes to the exploit protection settings area. 
Device performance and health
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Hide
  • Show
  • 1709
Select whether users can view the Device performance and health area or not. Hiding this section will also block all notifications related to this section. 
Family options
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Hide
  • Show
  • 1709
Configure if users can view the Family options in the Microsoft Defender Security center application. Hiding this section will also block all notification related
Device security area
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Hide
  • Show
  • 1803
Use this setting to disable the display of the Device security area. 
TPM Troubleshooter page
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Hide
  • Show
  • 1803
Use this setting to disable the display of the Device security area. 
Clear TPM button
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disable
  • Enable
  • 1809
Configures if the Clear TPM button within the Security processor troubleshooting area is shown to users. 
TPM firmware update warning
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disable
  • Enable
  • 1809
Defines if recommendations to update the TPM Firmware are shown when a vulnerable firmware is detected.
Secure boot area
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Hide
  • Show
  • 1803
Use this setting to hide the Secure boot area. 
Windows Security Center icon in the system tray
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disable
  • Enable
  • 1809
Specifies whether the Windows Security Center is shown as a tray icon in the Taskbar or is hidden. 
Hide all notifications
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Hide
  • Show
  • 1709
Determines if notifications will be displayed on devices. If hide is selected, users can't see Windows Defender Security Center notifications.
Hide non-critical notifications
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Hide
  • Show
  • 1709
Determines if non-critical notifications will be displayed on devices. If hide is selected, Windows Defender Security Center only display notifications which are considered as critical. 
IT contact information
Display contact information in app
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or disabled
  • 1709
Enabling this policy will display a customized company name and contact information in a contact fly out from Windows Defender Security Center.  If not enabled or without a provided company name or a minimum of one contact method Windows 10 will not display the contact fly out notification.
Display contact information in notifications
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or disabled
  • 1709
Enabling this policy will display a customized company name and contact information in the notifications. If not enabled or without a provided company name or a minimum of one contact method Windows 10 will display a default notification text
Specify contact company name
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g. Imagoverum
  • 1709
Provides a predefined company name in contact fly outs and notifications.
Contact phone number or Skype ID
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g +4969667788650
  • 1709

Provides a predefined phone number or Skype ID in contact fly outs and notifications.

Skype will be used to initiate the call. 

Contact email address
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g. support@imagoverum.com
  • 1709

Provides a predefined email address in contact fly outs and notifications.

The default mail application will be used to initiate email actions.

Contact website
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g. https://imagoverum.com
  • 1709

Provides a predefined help portal website in contact fly outs and notifications.

The default browser will be used to initiate this action 

Microsoft Defender SmartScreen

Microsoft Defender SmartScreen is a built-in threat protection of Windows 10 and Microsoft Edge that protects users and your organization against phishing or malware websites and applications and the downloading of potentially malicious files. Please review additional information here: Microsoft Defender SmartScreen

Setting Availability Options Requirement Description
Microsoft Edge
Configure Windows Defender SmartScreen
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Microsoft Edge (non-chromium based) version 45 and earlier
Microsoft Edge is using Windows Defender SmartScreen for protecting users from potential security risks by default. Enabling this setting will protect users from potential threads and prevents users from turning SmartScreen on or off in Microsoft Edge. Disabling this setting will not protect users from threats and will prevent users from turning SmartScreen on. 
Prevent Bypassing Windows Defender SmartScreen Prompts for Sites
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Microsoft Edge (non-chromium based) version 45 and earlier
Microsoft Edge allows by default users to bypass or ignore Defender SmartScreen warnings about potentially malicious sites to access them. Enabling this setting will prevent users from bypassing the warnings. 
Prevent Bypassing Windows Defender SmartScreen Prompts for Files
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Microsoft Edge (non-chromium based) version 45 and earlier
By default, Microsoft Edge allows users to bypass or ignore warnings about potentially malicious when downloading unverified files. Enabling this setting will prevent users from bypassing the warnings and block the download of unverified files. 
Reputation-based protection
Check apps and files
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1703
Configures the Microsoft Defender SmartScreen for Windows 10. 
File execution
Ignore Warnings and Run Malicious Files
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Allow
  • Block
  • 1703
Defines if users can ignore SmartScreen warnings and run malicious files. 
Source-based protection
Install Apps only from Microsoft Store
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1703
Allows to control whether users are allowed to install apps only from the Microsoft App Store. Installations are only blocked if the device is online. For blocking offline installation, Check apps and files must be set to Enabled and Ignore Warnings and Run Malicious Files to Block. 

Power Options

Windows 10 brings the ability to control the Power & Sleep Settings for devices. This helps and ensures Administrator to economic protection and saving money for energy costs within the organization. Power management options for Windows 10 includes the following options:

  • Manage whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
  • Specify the period of inactivity before Windows turns off the display.
  • Specify the period of inactivity before Windows transitions the system to sleep.
  • Specify battery charge level at which Energy Saver is turned on.
  • Prompt for a password when the system resumes from sleep.
Setting Availability Options Requirement Description
Predefine Lid Switch Action
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Sleep
  • Hibernate
  • Shutdown
  • 1903
Specifies the action that Windows 10 takes when the user closes the lid on the device.
Predefine Power Button Action
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Sleep
  • Hibernate
  • Shutdown
  • 1903
This setting specifies the action that Windows 10 takes when the user presses the power button. 
Predefine Sleep Button Action
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Sleep
  • Hibernate
  • Shutdown
  • 1903
This setting specifies the action that Windows 10 takes when the user presses the sleep button. 
Use Standby States When Putting the Computer in a Sleep State
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  This option manages whether or not Windows 10 is allowed to use standby states when putting the computer in a sleep state. 
Specify Inactivity Timeout Before Windows Turns Off the Display
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • 1709
Allows to specify the period of inactivity before Windows 10 turns off the display. If enabled, a value for Set Screen Off Inactivity Timeout (seconds) is required. 
Set Screen Off Inactivity Timeout (seconds)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g. 300
  • 1709
Defines the idle time in seconds should elapse before Windows 10 turns off the display.
Specify Period of Inactivity Before Hibernating
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • 1709

This setting allows to specify the period before Windows 10 transitions to hibernate. If enabled, a value for  Inactivity Timeout for Hibernating (seconds) is required. 

If the user has configured on the lock screen a slide show and the device is locked, this can prevent the sleep transitions.  Please refer to Restrictions > Device Lock

Inactivity Timeout for Hibernating (seconds)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g. 300
  • 1709
Defines how much idle time should elapse before Windows 10 transitions to hibernate. 
Specify Inactivity Timeout Before Windows Turns Into Sleep
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • 1709

Allows to specify the period of inactivity before Windows 10 transitions to sleep. If enabled, a value for Sleep Inactivity Timeout (seconds) is required. 

If the user has configured on the lock screen a slide show and the device is locked, this can prevent the sleep transitions.  Please refer to Restrictions > Device Lock

Sleep Inactivity Timeout (seconds)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g. 300
  • 1709
Defines how much idle time should elapse before Windows 10 transitions to sleep. 
Specify Inactivity Timeout for Unattended Sleep
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • 1903

Allows to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer.  If enabled, a value for Unattended Sleep Timeout (seconds) is required. 

If the user has configured on the lock screen a slide show and the device is locked, this can prevent the sleep transitions.  Please refer to Restrictions > Device Lock

Unattended Sleep Timeout (seconds)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g. 300
  • 1903
Defines how much idle time should elapse before Windows 10 transitions automatically to sleep when left unattended. A value of 0 seconds results in Windows does not automatically transition to sleep.
Require a Passcode When the System Resumes From Sleep
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  If this setting is disabled, the user is not prompted for a password when the system resumes from sleep. 
Allow Hybrid Sleep
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • 1903
Specifies whether Hybrid Sleep mode is allowed or not. Hybrid Sleep mode is a combination of the Sleep and Hibernate modes desktops. If you disable this setting, a hiberfile is not generated when the system transitions to Sleep. 
Specify Battery Level for Energy Saver Activation
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • 1903
This setting allows to specify the battery charge level at which Energy Saver is turned on. The Energy Saver will automatically turn on at (and below) the specified battery charge level. If enabled, a value for Battery Level (percentage) is required. 
Battery Level (percentage)
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
e.g. 30
  • 1903
Defines a percentage value that indicates the battery charge level when Energy Saver turns on. Supported values are 0-100. Default value is 70. 

Microsoft Edge 

Microsoft Edge is the built in Browser in Windows 10, which has been reinvented from Microsoft . The "first" version of Microsoft Edge, also called now as Microsoft Edge Legacy has been set as deprecated and has been replaced with the new Microsoft Edge which runs on a Chromium base. This Microsoft Edge profile include over 60 settings from various sections of Microsoft Edge like Password Manager, SmartScreen settings and other customizing options.  

Setting Availability Options Requirement Description
Microsoft Edge Settings
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • Version 77 or later
Enables the Microsoft Edge profile.
InPrivate Mode
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Allowed
  • Disabled
  • Forced
  • Version 77 or later

Specifies whether the user can open websites with the InPrivate Mode. 

  • Allowed = InPrivate mode will be available for users
  • Disabled = InPrivate mode will not be available for users and prevent users from using it
  • Forces: Websites will always be opened in the InPrivate Mode. 
Password manager and protection
Enable Password Manager
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
Enable Microsoft Edge to save user passwords. If enabled, users can save their passwords in Microsoft Edge and the next time they visit the site, Microsoft Edge will enter the password automatically. If disabled, users can't save new passwords, but they are still able to use previously saved passwords. 
Allow Microsoft Edge to monitor user passwords
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 85 or later
Allow users to be alerted if their passwords are found to be unsafe. If enabled and a user consents to enabling the policy, the user will get alerted if any of their passwords stored in Microsoft Edge are found to be unsafe. If disabled, users will not be asked for permissions to enable this functionality and passwords will not be scanned and users will not be alerted. 
Configure the change password URL
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, the password protection service sends users to a URL to change their password. 
The change password URL
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Version 77 or later
This setting will appear, if the Configure the password URL is enabled. The password protection service sends users to this URL to change their password.
Enable Password reveal button
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 87 or later
This setting controls the default display of the browser password reveal button for password input fields on websites. If disabled, the browser user setting won't display the password reveal button. 
Configure password protection warning trigger
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Password protection warning is off
  • Password protection warning is triggered by password reuse
  • Version 77 or later
Allows to control to trigger password protection warning. Password protection alerts users when they reuse their protected password on potentially suspicious sites. If Password protection warning is off is selected, no password warnings will appear to users. If Password protection warning is triggered by password reuse, password warnings will appear when users reuse their protected passwords. 
Password Protection Login URLs
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, a list of enterprise login URLs where the password protection service should capture salted hashes of a password can be configured. Use the Add Url button to add password protection login Urls. 
SmartScreen Settings
Configure Microsoft Defender SmartScreen
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
Defender SmartScreen provides warning messages to help protect your users from potential phishing scams and malicious software. By default, this feature is turned on. This setting provides the possibility to prevent users to disable the Microsoft Defender Smart Screen. 
Force checks on downloads from trusted sources
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 78 or later
This policy setting controls whether Microsoft Defender SmartScreen checks download reputation from a trusted source. If enabled, SmartScreen checks the download's reputation regardless of source. If disabled, no check for the download's reputation will be done when downloading from a trusted source. 
Block potentially unwanted apps
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 80 or later
Potentially unwanted app blocking with Microsoft Defender SmartScreen provides warning messages to help protect users from adware, coin miners, bundleware, and other low-reputation apps that are hosted by websites. Potentially unwanted app blocking with Microsoft Defender SmartScreen is turned off by default. If enabled, the potentially unwanted app blocking with Microsoft Defender SmartScreen is turned on. 
Prevent bypassing prompts for sites
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
This setting controls whether users can override the Microsoft Defender SmartScreen warnings about potentially malicious websites. If enabled, users can't ignore SmartScreen warnings and users will be blocked from accessing the site. 
Prevent bypassing warnings about downloads
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 78 or later
This option controls whether users can override Microsoft Defender SmartScreen warnings about unverified download. If enabled, users can't ignore the SmartScreen warnings and they will be prevented from completing unverified downloads. 
Configure Allowed Domains
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 77 or later
Configure the list of domains for which Microsoft Defender SmartScreen won't trigger warnings. If enabled, use the Add an allowed domain button to enter the list of trusted domains. 
Startup, home page and new tab page
Show Home button on toolbar
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
This option controls the display of the Home button on Microsoft Edge's toolbar. If enabled, the Home Button is always shown. If disabled, the Home button will never appear on the toolbar. If not configured, users can choose whether show the home button or not. 
New tab page URL
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 77 or later
Allows to configure the New Tab page URL, which will be opened by default when using the New Tab button.  If enabled, you can specify the default New Tab page URL through an additionally appearing option.  
Set as the home page
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
If enabled, the New tab page URL will also be used as the default home page URL when pressing the Home button. If enabled the Configure the home page URL option will be marked as inactive. 
Configure the home page URL
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 77 or later
Configures the default home page URL, which will be opened by using the Home Button. If enabled, you can specify the home page URL with the additionally appearing option Specify the home page URL.  
Hide the default top sites from the new tab page
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
Allows to configure if top sites from the new tab page in Microsoft Edge are visible or remain as visible. 
Enable preload of the new tab page for faster rendering
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 85 or later
This setting controls the preloading of the new tab page for a faster rendering. If enabled, preloading the New tab page is enabled and users can't change this setting. 
Action to take on startup
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Restore the last session
  • Open a new Tab
  • Open a list of URLs
  • Version 77 or later
Allows to specify how Microsoft Edge behaves when it starts. If Open a list of URLs is selected, you can add Startup Urls with the appearing Add Url button. 
Proxy Server
Configure proxy server settings
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Never use a proxy
  • Auto detect proxy settings
  • Use a .pac proxy script
  • Use fixed proxy servers
  • Use system proxy setting
  • Version 77 or later

Configures the proxy settings for Microsoft Edge. If you enable this policy, Microsoft Edge ignores all proxy-related options specified from the command line.

Microsoft deprecated already most of the Proxy Server configuration with no new options. This feature might not work correctly and might need to be reworked when new Proxy settings will be present. 

Performance
Enable startup boost
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 88 or later
Allows Microsoft Edge processes to start at a user sign-in and restart in background after the last browser window is closed
Default Search Provider
Default search provider settings
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 77 or later
Enables the ability to use a default search provider.
Specify Search URL
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, you can specify the URL of the search engine used for a default search. The URL contains the string '{searchTerms}', which is replaced at query time by the terms the user is searching for. Please refer to the Microsoft Edge Policy description for further examples. 
Keyword
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, this setting allows to specify the keyword, which is the shortcut used in the Address Bar to trigger the search for this provider.
Search by image
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, a URL to the search engine used for image search can be specified. Search requests are sent using the GET method. Please refer to the Microsoft Edge Policy description for further examples. 
Default search provider name
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, you can set the name of the default search provider. The provider’s name should be set to an organization-approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008.
Parameters for an image URL that uses POST
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, Parameters can be added which are used when an image search that uses POST is performed. The policy consists of comma-separated name/value pairs. If a value is a template parameter, like {imageThumbnail} in the preceding example, it's replaced with real image thumbnail data. Please refer to the Microsoft Edge Policy description for further examples. 
URL for suggestions
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, a custom URL for suggestions for the search engine can be defined. The URL contains the string '{searchTerms}', which is replaced at query time by the text the user has entered so far. Please refer to the Microsoft Edge Policy description for further examples. 
The new tab page search box
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Search Box (recommended)
  • Address bar
  • Version 85 or later

This setting allows to configure the new tab page search box to use Search Box Recommended or Address bar to search on new tabs. 

  • Search box (Recommended) - the new tab page uses the search box to search on new tabs.
  • Address bar - the new tab page search box uses the address bar to search on new tabs.
Character encodings
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 77 or later
If enabled, you can specify character encodings supported by the search provider. Encodings are code page names like UTF-8, GB2312, and ISO-8859-1. They are tried in the order provided. Add encodings by pressing the Add search provider encoding button.
Sleeping Tabs
Configure sleeping tabs
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • Version 88 or later
This setting configures whether to turn on sleeping tabs for Microsoft Edge. Sleeping tabs reduces CPU, battery, and memory usage by putting idle background tabs to sleep. Microsoft Edge uses heuristics to avoid putting tabs to sleep that do useful work in the background, such as display notifications, play sound, and stream video. By default, sleeping tabs is turned on.
Background tab inactivity timeout
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • 5
  • 15
  • 30
  • 1 hour
  • 2 hours (default)
  • 3 hours
  • 6 hours
  • 12 hours
  • Version 88 or later
Allows to configure the timeout after which inactive background tabs will be automatically put to sleep if the the Configure sleeping tabs option is set to enabled. 
Block sleeping tabs on specific sites
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 88 or later
If enabled, a list of sites, based on URL patterns can be configured, that are not allowed to be put into sleeping tabs. Use the Add Url button to enter specific sites that are not allowed to be put to sleep. 
Content Settings
Default geolocation setting
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Allow sites to track users' physical location
  • Don't allow any site to track users' physical location
  • Ask whenever a site wants to track users' physical location
  • Version 77 or later
Define whether websites can track the physical location of a users. 
Default images setting
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Allow all sites to show all images
  • Don't allow any site to show images
  • Version 77 or later
Allows to configure if websites can display images. 
Allow images on specific sites
  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Enabled
  • Version 77 or later
This option will be active if Default image setting is set to Not configured or Don't allow any site to show images. After enabling this setting, specific sites can be added to display images.
Block images on specific sites
  • Wind