Skip to main content
Matrix42 Self-Service Help Center

Tags Guide Part IV: Windows 10/11 Restrictions

Restriction Overview

Windows restrictions are part of the Policy Configuration Service Provider and are grouped with the same naming in the Management Console. You can press All + to expand all available restriction or expand each group separately. The following groups are available and linked to the corresponding section with all available policy configurations:

Build your own policy setting with Create a Custom Profile for Windows 10/11

A      
Above Lock Accounts Application Management Audit
Authentication      
B      
BITS Bluetooth Browser  
C      
Camera Cellular Connectivity Control Policy Conflict
Credential Providers Cryptography    
D      
Data Protection Desktop Device Guard Device Health Monitoring
Device Lock Display DMA Guard  
E      
Event Log Service Experience    
F-R      
File Explorer Games Handwriting Lock Down
Maps Messaging Notifications  
S      
Security Settings Speech  
T      
Task Manager Troubleshooting    
W      
WiFi Windows PowerShell    

Restrcitions

Above Lock Screen

Setting Availability Options Requirement Description
Allow Cortana Above Lock Screen
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not allowed
  • Allowed
  • 1607
Specifies whether or not the user can interact with Cortana using speech while the system is locked. If enabled, the user can interact with Cortana using speech while the system is locked. If disabled, the system will need to be unlocked for the user to interact with Cortana using speech.
Allow Toasts
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not allowedAudit
  • Allowed
  Specifies whether to allow toast notifications above the device lock screen

Accounts

Setting Availability Options Requirement Description
Allow User to Add Non-Microsoft Accounts Manually
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not allowed
  • Allowed
  Specifies if the user is allowed to add non-MSA email accounts
Allow Microsoft Account for Non Email Related Services
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not allowed
  • Allowed

 

Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
Allow Microsoft Account Sign In Assistant
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not allowed
  • Allowed
  • 1703

Disables the Microsoft Account Sign-In Assistant (wlidsvc) NT service. 

If disabled Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher

Application Management

Setting Availability Options Requirement Description
Application Management
Allow App Store Auto Update
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  Configures if automatic app updates from Microsoft Store are allowed or not.
Allow Windows Game Recording and Broadcasting
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  Controls whether DVR and broadcasting is allowed.
Allow Shared User AppData
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  This settings configures if application data can be shared among multiple users on the system and with other instances of that app. Disabling this setting will not delete existing shared data in the SharedLocal folder. 
Disable All Apps From Microsoft Store
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1607
Enabling this setting, will prevent the launch of all pre-installed or downloaded apps from the Microsoft Store
Allow User Control Over Installs
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1803
Permits users to change installation options that typically are available only to system administrators. 
Allow MSI Always Install With Elevated Privileges
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  • 1803
Directs Windows Installer to use elevated permissions when it installs any program on the system
Only Display the Private Store Within the Microsoft Store
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  If disabled, both public and private store are allowed. If enabled only the private or corporate store is enabled. 
Prevent Users` App Data From Being Stored on Non-System Volumes
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  Controls if application data is restricted to the system drive or not.
Disable Installing Windows Apps on Non-System Volumes
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Disabled
  • Enabled
  Controls whether the installation of applications is restricted to the system drive or not.
Allow All Trusted Apps to Install
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Explicit deny
  • Explicit allow unlock
  Allows to control if non Microsoft Store apps are allowed
Allow Developer Unlock
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Explicit deny
  • Explicit allow unlock
  Specifies whether developer unlock is allowed or not.

 

Audit

Setting Availability Options Requirement Description
Audit    
Audit Account Lockout
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903

Allows to control audit events generated by a failed attempt to log on to an account that is locked out.

Depending on the configuration an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts.

Audit Group Membership
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Configures audit setting for the group membership information in the user's logon token. Events are generated on the computer on which a logon session is created and for each successful logon.

For an interactive logon, audit events are generated on the computer that the user logged on to.

For a network logon, such as accessing a shared folder on the network, audit event are generated on the hosting computer.

You must also enable the Audit Logon setting

Audit IPsec Extended Mode
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
Audit IPsec Main Mode
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None 
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
Audit IPsec Quick Mode
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
Audit Logoff
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.
Audit Logon
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903 
Allows to control audit events generated by user account logon attempts on the device.  
Audit Network Policy Server
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Success+Failure
  • Off/None
  • Success
  • Failure
  • 1903

Configures audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be grant, deny, discard, quarantine, lock and unlock.

  • Success - audits record successful user access requests
  • Failure - audits record unsuccessful attempts.
  • Off/None -  IAS and NAP user access requests are not audited.
Audit Other Logon Logoff Events
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to configure audit other login or logoff related events. These includes: 

  • Terminal Services session disconnection.
  • New Terminal Services sessions.
  • Locking and unlocking a workstation.
  • Invoking a screen saver.
  • Dismissal of a screen saver.
  • Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration.
  • Access to a wireless network granted to a user or computer account.
  • Access to a wired 802.1x network granted to a user or computer account.
Audit Special Logon
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903

Configures audit events generated with special logons like: 

  • Usage of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
  • A logon by a member of a Special Group. A list of group security identifiers can be configured in the registry. Please refer to Audit Special Logon for more information
Audit User Device Claims
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to configure audit events for user and device claims information in the user's logon token. 

Events are generated on the computer on which a logon session is created and for each successful logon.

For an interactive logon, audit events are generated on the computer that the user logged on to.

For a network logon, such as accessing a shared folder on the network, audit event are generated on the hosting computer.

You must also enable the Audit Logon setting

Audit Credential Validation
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by validation test on user account logon credentials. 
Audit Kerberos Authentication Service
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None 
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by Kerberos authentication ticket-granting ticket (TGT) request. 
Audit Kerberos Service Ticket Operations
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts.
Audit Other Account Logon Events
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Specifies to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
Audit Application Group Management
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to control audit events generated by changes to application groups like:

  • Creation, changing or deletion of application groups
  • Adding or removing members from an application group
Audit Computer Account Management
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Configures audit events generated by changes to computer accounts, e.g. when computer accounts are created, changed or deleted. 
Audit Distribution Group Management
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

This setting allows to control configure audit settings for changes to distribution groups like: 

  • Creation, changing or deletion of distribution groups
  • Adding or removing members from a distribution group
  • Type changes of distributions groups
Audit Other Account Management Events
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Specifies the audit events generated by other user account changes like: 

  • Accessed password hashes
  • API calls for policy checking was made
  • Changes to the Default Domain Group Policy under the following paths:
    • Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
    • Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.
Audit Security Group Management
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903

Allows to audit events generated by changes to security groups, such as: 

  • Creation, changing or deletion of security groups
  • Adding or removing members from a security group
  • Type changes of security groups
Audit User Account Management
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903

This configuration allows to audit changes to user accounts. This events includes the following: 

  • A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
  • A user account’s password is set or changed.
  • A security identifier (SID) is added to the SID History of a user account.
  • The directory services restore mode password is configured.
  • Permissions on administrative user accounts are changed.
  • Credential Manager credentials are backed up or restored
Audit Detailed Directory Service Replication
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Controls audit settings to audit events generated by detailed AD DS replication between domain controllers.
Audit Directory Service Access
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to audit events generated when an AD DS object is accessed. 

Only AD DS objects with a matching system access control list (SACL) are logged.

Audit Directory Service Changes
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Specifies the audit events generated by changes to objects in AD DS. Events will be logged when an object is created, deleted, modified, move or undeleted. 

Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged.

Audit Directory Service Replication
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

This setting allows to audit replication between two AD DS domain controllers. 

Events in this subcategory are logged only on domain controllers.

Audit DPAPI Activity
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Controls audit settings generated when encryption or decryption requests are made to the Data Protection application interface. Fore more information about DPAPI please review the following article: Windows Data Protection

Audit PNP Activity
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Specifies the setting for audit events when plug and play detects and external device. 
Audit Process Creation
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to control audit events generated when a process created or starts. 

The name of the application or the user that created the process will be also audited. 

Audit Process Termination
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events generated when a process ends. 
Audit RPC Events
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Specifies the setting for audit events for inbound remote procedure call connections. 
Audit Token Right Adjusted
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Controls audit settings to audit events generated by adjusting the privileges of a token. 
Audit Application Generated
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
This setting allows to control audit applications that generate events by using the Windows Auditing application interfaces (APIs). 
Audit Central Access Policy Staging
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Specifies audit access requests where permissions are granted or denied by a proposed policy that differs from the current central access policy on an object. 
Audit Certification Services
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit events from Active Directory Certificate Services operations. 
Audit Detailed File Share
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Controls audit settings for access files and folders attempts on a shared folder. This allows are more granular logging for File Shares than the Audit File Share setting. Detailed File Share logs an event every time a file or folder is accessed. 

There are no system access control lists (SACLs) for shared folders. If this setting is enabled, access to all shared files and folders on the system is audited.

Audit File Share
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

With this setting it is possible to control audit attempts to access a shared folder. Audit File Share logs one event for any established connection between a client and file share. 

There are no system access control lists (SACLs) for shared folders. If this setting is enabled, access to all shared files and folders on the system is audited.

Audit File System
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Specifies audit settings for user attempts to access file system objects. Audit events are generated each time an account access a file system object with a matching SACL. 
Audit Filtering Platform Connection
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to control audit connections that are allowed or blocked by the Windows Filtering Platform. This includes the following events

  • Firewall Service blocks an application from accepting incoming connections on the network
  • WFP allows or blocks a connection
  • WFP permits and blocks a bind to a local port
  • WFP allows or blocks a connection
  • WFP permits and blocks an application or service to listen on a port for incoming connections
Audit Filtering Platform Packet Drop
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Specifies audit settings for audit packets that are dropped by the Windows Filtering Platform. 
Audit Handle Manipulation
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Controls audit settings for events generated when a handle to an object is opened or closed. 

Only objects with a matching system access control list (SACL) generate security audit events.

Audit Kernel Object
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

With this setting it is possible to control audit events for attempts to access the kernel. This includes mutexes and semaphores. 

Only kernel objects with a matching system access control list (SACL) generate security audit events.

Audit Other Object Access Events
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to control audit events generated by the management of task scheduler jobs or COM+ objects.

The following scheduler jobs are audited:

  • Created, deleted, enabled, disabled or updated Jobs

The following COM+ objects are audited:

  • Added, updated or deleted catalog
Audit Registry
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Controls audit settings for attempts to access registry objects. 

Audit events are generated only for objects that have the SACLs specified and only if the access type such as read, write or modify is requested and the account that makes the requests matches the settings in the SACL. 

Audit Removable Storage
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to define audit settings for attempts to access file system object on a removable storage device by a user. Security audit events are generated only for all objects and for all types of requested access. 
 Audit SAM
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Controls audit settings for events generated by attempts to access Security Account Manager objects. 
Audit Authentication Policy Change
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903

Specifies audit settings for events generated by changes to the authentication policy. Please review authentication policy events here

 

Audit Authorization Policy Change
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to control audit settings for events generated by changes to the authorization policy.  Please review authorization policy events here
Audit Filtering Platform Policy Change
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to define audit settings for events generated by changes to the Windows Filtering Platform, like: 

  • IPsec services status
  • IPsec policy settings changes
  • Windows Firewall policy settings changes.
  • WFP providers and engine changes.

 

Audit MPSSVC Rule Level Policy Change
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Specifies audit settings for events generated by changes in policy rules utilized by the Microsoft Protection Service, which is used by the the Windows Firewalls.  MPSSVC includes the following events:

  • Active policies report when the Firewall service starts
  • Changes to Firewall rules, exception list and settings
  • Ignored or not applied rules
  • Windows Firewall Group Policy settings changes. 
Audit Other Policy Change Events
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

Allows to define audit settings for events generated by other security policy changes that are not audited within the policy change category, like 

  • Changes in TPM configuration
  • Kernel-mode cryptographic self test
  • Cryptographic provider and/or context operations or modifications
  • Changes in applied Central Access Policies
  • Modifications in Boot Configuration Data
Audit Policy Change
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903
Controls audit settings for events generated by changes in the security audit policy settings. Please review included events here
Audit Non Sensitive Privilege Use
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None 
  • Success
  • Failure
  • Success+Failure
  • 1903
Controls audit settings for events generated by the use of non sensitive user rights (privileges). Please review nonsensitive privileges here
Audit Other Privilege Use Events
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903

This setting is deprecated

 

Audit Sensitive Privilege Use
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Allows to define audit settings for events generated when sensitive user rights are used. Please review audit events here
Audit IPsec Driver
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None 
  • Success
  • Failure
  • Success+Failure
  • 1903

Specifies audit settings for events generated by the IPsec filter driver, such as: 

  • IPsec services startup and shutdown
  • Network packages dropped due
    • Integrity check failure
    • Replay check failure
    • Being in plain text 
  • Network packets received with incorrect SPI 
  • IPsec filter process inability
Audit Other System Events
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Success+Failure
  • Off/None
  • Success
  • Failure
  • 1903

This settings allow to control audit of any of the following events:

  • Windows Firewall service and driver startup and shutdown
  • Security policy processing by the Windows Firewall service
  • Migration and key file cryptography operations.
Audit Security State Change
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Success
  • Off/None
  • Failure
  • Success+Failure
  • 1903

Defines audit settings for events generated by changes in the security state of the customer, such as:

  • Startup and shutdown
  • System time changes
  • Recovery from CrashOnAuditFail
Audit Security System Extension
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Off/None
  • Success
  • Failure
  • Success+Failure
  • 1903
Controls audit settings for events related to security system extensions or services.
Audit System Integrity
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Success+Failure
  • Off/None
  • Success
  • Failure
  • 1903

Allows to control audit events generated in case of integrity violation of the security subsystem. Please review audit events here

 

Authentication

Setting Availability Options Requirement Description
Authentication
Allow Azure AD Password Reset
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Enabled
  • Disabled
  • 1709
Defines whether password reset is enabled for Azure Active Directory accounts
Allow EAP Cert SSO
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Enabled
  • Disabled
  Allows or disallows an EAP certificate based authentication for a single sign on (SSO) to access internal resources.
Allow Fast Reconnect
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Enabled
  • Disabled
  Allows or disallows EAP Fast Reconnect from being attempted for EAP Method TLS.
Allow Companion Device for Secondary Authentication
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Enabled
  • Disabled
  • 1607
Allows or disallows secondary authentication devices to work with Windows
Allow Enable Fast First Sign In
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • None
  • Enabled
  • Disabled
  • 1809
Configures quick first sign-in experience for a user on Shared PCs. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
Allow Enable Web Sign In
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • None
  • Enabled
  • Disabled
  • 1809
Web Sign-in is a way of signing into a Windows PC and enables Windows logon support for non-ADFS federated providers (e.g. SAML). Only supported for Azure AD Joined PCs

BITS 

Setting Availability Options Requirement Description
Bits
Set Default Download Behavior for Background Jobs on Costed Networks
  • Windows 10/11 Home
  • Windows 10/11 Pro
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Always transfer
  • Transfer unless roaming
  • Transfer unless surcharge applies
  • Transfer unless nearing limit
  • Transfer only if unconstrained 
  • 1809
Configures the default behavior that the Background Intelligent Transfer uses for background transfers when the device is connected to a costed network (3G, LTE etc.)
Set Default Download Behavior for Foreground Jobs on Costed Networks
  • Windows 10/11 Home
  • Windows 10/11 Pro
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Always transfer
  • Transfer unless roaming
  • Transfer unless surcharge applies
  • Transfer unless nearing limit
  • Transfer only if unconstrained 
  • 1809
Configures the default behavior that the Background Intelligent Transfer uses for foreground transfers when the device is connected to a costed network (3G, LTE etc.)

Bluetooth

Setting Availability Options Requirement Description
Bluetooth
Allow Advertising
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
  Configures if the device can send out Bluetooth advertisement
Allow Discoverable Mode
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
  Specifies whether other Bluetooth-enabled devices can discover the managed device
Allow Prepairing
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
  • 1607
Allows or disallows specific bundled Bluetooth peripherals to automatically pair with the host device.
Allow Prompted Proximal Connections
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
  • 1803
Will allow or block users from using Swift Pair and other proximity based scenarios.

Browser

Setting Availability Options Requirement Description
Browser
Allow Address bar drop-down list suggestions
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. Disable this restriction for minimizing network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. If disabled Microsoft Edge also disables the Show search and site suggestions as I type toggle in Settings.
Allow Browser  
  • Enabled or Disabled
   
Allow Configuration Updates for the Books Library
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1803
If enabled, Microsoft Edge updates configuration data for the Books Library automatically. If disabled  Microsoft Edge will be prevented from updating the configuration data.
Allow Developer Tools
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  Prevent users from using the F12 developer tools.
Allow Extensions
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1607
Prevent users from adding or personalizing extensions.
Allow Adobe Flash
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
 

Configure Microsoft Edge to prevent Adobe Flash content from running. 

Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default

Configure the Adobe Flash Click-to-Run Setting
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the Click-to-Run button.  Disabling this will load  Adobe Flash content automatically
Allow FullScreen Mode
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
Configures whether fullscreen mode is allowed or not.
Allow InPrivate Browsing
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  InPrivate Browsing  deletes after closing all tabs to browsing date from the device. This restrictions configures whether InPrivate Browsing is allowed or not.
Allow Microsoft Compatibility List
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat.
Allow Microsoft Edge to Pre-Launch at Windows Startup
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
If enabled, the browser pre-launches as a background process during Windows startup for faster performance and faster launch time. 
Allow Printing
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
Disabling this setting will prevent user from printing web content. 
Allow Saving History
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
Disabling this settings prevents from saving the browsing history. If any  history existed before disabling this setting, the previous browsing history remains in the History pane. Also disabling this setting does not stop roaming of existing browsing history or browsing history from other devices.
Allow Microsoft Edge to Pre-Launch at Windows Startup
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
If enabled, the browser pre-launches as a background process during Windows startup for faster performance and faster launch time. 
Allow Printing
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
Disabling this setting will prevent user from printing web content. 
Allow Saving History
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
Disabling this settings prevents from saving the browsing history. If any  history existed before disabling this setting, the previous browsing history remains in the History pane. Also disabling this setting does not stop roaming of existing browsing history or browsing history from other devices.
Allow Search Engine Customization
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
Configures whether users are allowed from customizing the search engine.
Allow Sideloading of Extensions
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
Sideloading allows to install and run unverified extensions. If disabled, extensions can only be installed through Microsoft Store or Store for Business and PowerShell by using Add-AppxPackage cmdlet. 
Allow Microsoft Edge to Start and Load the Start and New Tab Pages
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
If enabled, Microsoft Edge pre-loads the Start and New Tab pages during Windows Login and each time the browser closes by default for a faster start and new tab loading. 
Allow Always Show the Books Library in Microsoft Edge
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1803
If enabled, the Books Library is only shown in supported regions or countries. If disabled, the Books Library is shown regardless if the country or region is supported. 
Allow Search Engine Customization
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703
Configures whether users are allowed from customizing the search engine.
Allow Sideloading of Extensions
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
Sideloading allows to install and run unverified extensions. If disabled, extensions can only be installed through Microsoft Store or Store for Business and PowerShell by using Add-AppxPackage cmdlet. 
Allow Microsoft Edge to Start and Load the Start and New Tab Pages
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1809
If enabled, Microsoft Edge pre-loads the Start and New Tab pages during Windows Login and each time the browser closes by default for a faster start and new tab loading. 
Allow Always Show the Books Library in Microsoft Edge
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1803
If enabled, the Books Library is only shown in supported regions or countries. If disabled, the Books Library is shown regardless if the country or region is supported. 
Allow Clearing Browsing Data on Exit
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703

Clearing Browsing Data does not take affect by default on the browser, but users can configure this option in the Settings. Browsing data might include sensitive information the user entered like forms, passwords and visited websites. This restriction allows to clear the browsing data automatically each time Microsoft Edge closes. 

  • Disabled - User can configure the option in settings
  • Enabled -  Browsing data will be cleared automatically after closing Microsoft Edge
Configure Additional Search Engines
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703

Users  are allowed to set a default search engine but can't add, change or remove them. This setting allows to set the default engine and add up to five additional search engines.  

You must specify a link to the OpenSearch XML file. Please refer to Search provider discovery.

Allow Clearing Browsing Data on Exit
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703

Clearing Browsing Data does not take affect by default on the browser, but users can configure this option in the Settings. Browsing data might include sensitive information the user entered like forms, passwords and visited websites. This restriction allows to clear the browsing data automatically each time Microsoft Edge closes. 

  • Disabled - User can configure the option in settings
  • Enabled -  Browsing data will be cleared automatically after closing Microsoft Edge
Configure Additional Search Engines
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Enabled or Disabled
  • 1703

Users  are allowed to set a default search engine but can't add, change or remove them. This setting allows to set the default engine and add up to five additional search engines.  

You must specify a link to the OpenSearch XML file. Please refer to Search provider discovery.

Camera

Setting Availability Options Requirement Description
Camera
Allow Camera
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
 
  • 1709

Specifies whether the user is able to use the device camera or not.

Cellular

Setting Availability Options Requirement Description
Cellular
Let Apps Access Cellular Data
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • User is in control
  • Force allow
  • Force deny
  • 1709

Allows to control if Windows 10 apps can access cellular data. 

  • User is in control - Users can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
  • Force allow - Windows apps are allowed to access cellular data and users cannot change it.
  • Force deny -  Windows apps are not allowed to access cellular data and users cannot change it.

Connectivity

Setting Availability Options Requirement Description
Connectivity
Allow Bluetooth
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
   
Allow Connected Devices
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
  • 1703
With this setting it is possible to disable the Connected Devices Platform (CDP) component. CDP is used to enable discovery and connections to other devices to support remote app launch, remote messages, remote app sessions and other cross-device experiences. 
Allow Phone PC Linking
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
  • 1803
Disables the ability to link a phone with a PC to continue tasks (e.g reading, emails and related tasks). If the PC is already linked, this setting will remove the device itself from the device list on any linked phone and will prevent from participating from the "Continue on PC" experience
Allow VPN Over Cellular
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
  Specifies if cellular is allowed to use for VPN connections. 
Allow VPN Roaming Over Cellular
  • Windows 10 Pro
  • Windows 10 Business
  • Windows 10 Enterprise
  • Windows 10 Education
  • Not configured
  • Not Allowed
  • Allowed
  Controls whether the device is allowed or not to connect to VPN when the device is roaming over cellular networks. 
Allow Cellular Data
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Allowed
  • Not allowed
  • Allow but user cannot turn it off
 

Provides the ability to configure cellular data usage settings on the device. 

  • Allow - Allows cellular data and the user is able to turn it off
  • Not allow - Disables cellular data and the user is not able to turn it on
  • Allow but user cannot turn it off - Allows cellular data on the device and prevents the user from turning it off
Allow Cellular Data Roaming
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Allow
  • Not allow
  • Allow but user cannot turn it off
 

Provides the ability to configure cellular data roaming settings on the device. 

  • Allow - Allows cellular data roaming and user is able to turn it off.
  • Not allow – Does not allow cellular data roaming. The user cannot turn it on. 
  • Allow but user cannot turn it off - Allows cellular data roaming on and prevents the user from turning it off.

Control Policy Conflict

Setting Availability Options Requirement Description
 Control Policy Conflict
MDM Policy Is Used and the GP Policy Is Blocked
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  • 1803
This restrictions ensures that settings made via the Mobile Device Management protocol will win over Group Policies.

Credential Provider

Setting Availability Options Requirement Description
Credential Provider
Disable the Visibility of the Credentials for Autopilot Reset
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  • 1709
Works inline with the Clean PC option that resets devices and keeps the management enrollment. This setting controls whether the visibility of the credential provider that triggers the PC refresh on a device is enabled or disabled. 

Cryptography

Setting Availability Options Requirement Description
Cryptography
Allow Fips Algorithm Policy
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
  Specifies whether the Federal Information Processing Standard (FIPS) policy is allowed or disallowed. Please review for further information the explanation inside the Group Policy System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing under the following path: Windows Settings/Security Settings/Local Policies/Security Options

Data Protection

Setting Availability Options Requirement Description
Data Protection
Allow Direct Memory Access
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
 

This restrictions allows to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. 

Requires BitLocker Device Encryption

Desktop

Setting Availability Options Requirement Description
Desktop
Prevent User Redirection of Profile Folders
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Enabled
  Users can change by default the location of their individual profile folder like Pictures and Documents etc. by changing the path in the Locations section of the folders properties box. With this setting it is possible to prevent users from redirecting profile folders. 

Device Guard

Setting Availability Options Requirement Description
Device Guard
Configure the Launch of System Guard
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Unmanaged (Default) 
  • Enables Secure Launch 
  • Disables Secure Launch
  • 1809

Allows to configure the launch of System Guard. For more information about System Guard, please refer to 

Enabling Secure Launch requires are supported hardware. 

Turn On Virtualization Based Security
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Disable (Default) 
  • Enable 
  • 1709
If enabled it turns on the virtualization based security (VBS) at the next reboot of the device. VBS uses the Windows Hypervisor to provide support for security devices. 
Turn On Credential Guard With Virtualization-Based Security
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Disabled (Default) 
  • Enabled with lock
  • Enabled without lock
  • 1709

Configures the usage of Credential Guard and the option to change the setting for the user.  Credential Guard with virtualization-based security helps to protect credentials and changes will be applied after the next reboot

  • Disabled -  Turns off Credential Guard remotely if configured previously without UEFI Lock.
  • Enabled with lock - Turns on Credential Guard with UEFI lock.
  • Enabled without lock - Turns on Credential Guard without UEFI lock.
Configure Platform Security Features
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Turn on VBS with Secure Boot (Default)
  • Turn on VBS with Secure Boot and DMA 
  • 1709

Allows to specify the platform security level beginning with the next reboot. 

DMA requires hardware support. 

Device Health Monitoring

Setting Availability Options Requirement Description
Device Health Monitoring
Allow Device Health Monitoring
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  • 1903
Defines whether the Device Health Monitoring connection is enabled or disabled.  Device Health Monitoring is an opt-in health monitoring connection between the device and Microsoft. Please enable this settings only if you a using a Microsoft device monitoring service which requires it. 

Device Lock 

Setting Availability Options Requirement Description
Device Lock
Prevent Lock Screen Slide Show
  • Windows 10/11 Home
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  Disables the lock screen slide show settings in the Settings App and prevents a slide show from playing on the lock screen. If disabled or not configured, users can enable and modify slide show settings. 

Display

Setting Availability Options Requirement Description
Display
Configure Per-Process System DPI Settings
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  • 1803
 

DMA Guard

Setting Availability Options Requirement Description
DMA Guard
Enumeration Policy for External Devices Incompatible With Kernel DMA Protection
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Only after log in/screen unlock
  • Block All
  • Show All
  • 1809

This setting provides additional security again external DMA capable devices. 

  • Only after log in/screen unlock (Default) - Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen
  • Block All - Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will never be allowed to start and perform DMA at any time.
  • Show all:  All external DMA capable PCIe devices will be enumerated at any time

Event Log Service

Setting Availability Options Requirement Description
Event Log Service
Allow Adding Events When Log File Reaches Maximum Size
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Enabled
  This restriction controls the Event Log behavior when the log file(s) reaches the maximum size. In a not configured state log files will overwrite old events if the log file reaches the maximum size. In an enabled state, new events will not be written into the log and are lost. 
Max Application Log File Size (KB)
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • e.g. 20480
  Defines the maximum log file size in KB for Application Logs. Supported values are from 1024 (1MB) to 2147483647 (2 TB). The default value is 20480 KB (20MB)
Max Security Log File Size (KB)
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • e.g. 20480
  Defines the maximum log file size in KB for Security Logs. Supported values are from 1024 (1MB) to 2147483647 (2 TB). The default value is 20480 KB (20MB)
Max System Log File Size (KB)
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • e.g. 20480
  Defines the maximum log file size in KB for System Logs. Supported values are from 1024 (1MB) to 2147483647 (2 TB). The default value is 20480 KB (20MB)

Experience

Setting Availability Options Requirement Description
Experience
Allow Cortana
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
  Allows or disallows Cortana on the device. 
Allow Manual MDM Unenrollment
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
  Specifies if the user is able to delete the workplace account on the device or if it will be only possible to delete the profile remotely through the Management Console
Allow Sync My Settings
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
  Controls whether Windows sync settings on the device are allowed or not. Please review the following article "About sync settings on Windows 10 devices" to get an overview what settings are synchronized. 

File Explorer

Setting Availability Options Requirement Description
File Explorer
Turn Off Data Execution Prevention for Explorer
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  If enabled, data execution prevention can allow certain legacy plug-in applications to function without terminating the Explorer.
Turn Off Heap Termination on Corruption
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  If enabled, heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.

Games

Setting Availability Options Requirement Description
Games
Allow Advanced Gaming Services
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  • 1709
Specifies if advanced gaming services can be used on the device. Advanced gaming services may send data to Microsoft or games publishers that use these services. 

Handwriting

Setting Availability Options Requirement Description
Handwriting
Handwriting Panel Default Mode
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Floating
  • Docked
  • 1709

Defines the default mode for the handwriting panel. 

  • Floating - The content is hidden behind a flying-in panel 
  • Docked - The flying-in panel is fixed to the button of the screen. 

Lock Down

Setting Availability Options Requirement Description
Lock Down
Allow Edge Swipe
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • 1607
This setting controls if a user is able to invoke the system user interface by swiping in from any screen edge using touch. 

Maps

Setting Availability Options Requirement Description
Maps
Allows Auto-Update Over Metered Connection
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  • 1607
Controls whether the download and update of map data over metered connection is forced to disabled or forced to enabled.
Turn Off Automatic Download and Update of Map Data
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  • 1607
Controls whether the automatic download and update of map data is forced off (disabled) or forced on (enabled).

Messaging

Setting Availability Options Requirement Description
Messaging
Allow Message Sync
  • Windows 10/11 Pro
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  • 1607
Allows or disallows users to backup and restore text messages and use Messaging Everywhere. Disabling this policies will avoid that information are stored on non-organization cloud servers. If disabled, message sync is not allowed and can't be changed by the user. 

Notifications

Setting Availability Options Requirement Description
Notifications
Turn Off Notification Network Usage
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  • 1803

This restriction block applications from using the network to send tile, badge, toasts and raw notifications. 

We highly recommend to not enable this restriction. It might cause issue in the device communication with the backend server. 

Turn Off Notification Mirroring
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  • 1607
If enabled, application and system notifications will not be mirrored to other user devices. 
Turn Off Tile Notification
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  • 1803
If enabled, applications and system features will not be able to update their tiles and badges in the start screen. 

Security

Setting Availability Options Requirement Description
Security
Allow Add Provisioning Package
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
  Configures if the runtime configuration agent is allowed to install provisioning packages.
Allow Remove Provisioning Package
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Not Allowed
  • Allowed
  Specifies if the runtime configuration agent is allowed to remove provisioning packages.
Require Provisioning Package Signature
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • No Require Authentication
  Requires provisioning package are certificate signed by a device trusted authority.
Configure The System To Clear The TPM If It Is Not In a Ready State
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Will not force recovery from TPM (default)
  • Will prompt to clear TPM
  • 1709

This setting will either not force recovery from a non-ready TPM state or will prompt to clear the TPM if the TPM is i a not ready state which can be remediated with a cleared TPM.

The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart. Admin access is required.

Recovery Environment Authentication
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Default (Default)
  • Require Authentication
  • No Required Authentication
  • 1809
This settings allows to control the Admin Authentication in the Recovery Environment. Please find  here additional validation procedure information 

Settings

Setting Availability Options Requirement Description
Settings
Allow Auto Play
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  Allows or disallows the user to change Auto Play settings. Disabling does not affect the autoplay dialog box that appears when a device is connected
Allow Data Sense
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  Configure whether the user is allowed or not allowed to change Data Sense settings.
Allow Date Time
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  Allows or disallows the user to change date and time settings.
Allow Language
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  Configures whether the user is allowed or not allowed to change the language settings
Allow Online Tips
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  • 1709
Allows or disallows retrieving online tips and help for the Settings app. If disabled, Settings App will stop contacting Microsoft content services. 
Allow Power Sleep
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  Configures whether the user is allowed to change power and sleep settings.
Allow Region
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  Allows or disallows the user to change region settings. 
Allow Sign In Options
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  Prevents the user from changing Sign In options.
Allow VPN
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  Configures whether the user is allowed to change VPN settings. 
Allow Workplace
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  Allows or disallows the user to change workplace settings. 
Allow Your Account
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  Prevents the user from changing settings in the Your Info  are in settings app
Show additional Calendar
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Allowed (Default)
  • Don't show additional calendars
  • Simplified Chinese (Lunar)
  • Traditional Chinese (Lunar)
  • 1703
Allows to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout

Speech

Setting Availability Options Requirement Description
Speech
Allow Automatic Update of Speech Data
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  • 1607
Specifies if devices will periodically check and receive updates to the speech recognition and synthesis models and download them from the Microsoft service using the Background Internet Transfer Service (BITS). 

Task Manager

Setting Availability Options Requirement Description
Task Manager
Allow Use Task Manager to End Tasks
  • Windows 10/11 Pro
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  • 1809
Controls if non-administrators can utilize the Task Manager to end tasks. 

Troubleshooting

Setting Availability Options Requirement Description
Troubleshooting
Troubleshooting Recommendations
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled but apply critical troubleshooting 
  • Notify when is available and allow to run it
  • Run automatically with notifying
  • Run automatically without notifying
  • Allow the user to choose settings 
  • 1903
Allows to configure how to apply recommended troubleshooting for known problems on devices. 

WiFi

Setting Availability Options Requirement Description
Device Lock
Allow Auto Connect to WiFi Sense Hotspots
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  Configures whether the device is allowed or not to automatically connect to Wi-Fi hotspots
Allow Manual WiFi Configuration
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  • 1607
Allows or disallows connecting to Wi-Fi outside of managed Wi-Fi Profiles. Disabling this setting will delete any previously installed user's profiles from the devices. 
Allow WiFi
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  • 1607
Configures if WiFi connections are allowed or not. 
Allow WiFi Direct
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or Disabled
  • 1703
Specifies if WiFi Direct connections are allowed or prohibited. 
WLAN Scan Mode
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • From 0 to 500
 

Allows to control the WLAN scanning bhehavior and how aggressively devices should be actively scanning for Wi-Fi networks. 

  • 100 = normal scan frequency
  • 500 = low scan frequency

Windows PowerShell

Setting Availability Options Requirement Description
Windows PowerShell
Allow PowerShell Script Logging
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Not configured
  • Disabled
  • Enabled
  Enables logging of all PowerShell script input in the Microsoft-Windows-Powershell/Operational event log. PowerShell will log,  whether invoked interactively or through automation,the processing of commands, script blocks, functions and scripts.
Log Script Block Invocation Start/Stop Events
  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Enabled or disabled
 

With enabled Log Script Block Invocation Start/Stop Events , PowerShell additionally logs when invocation of a command, script block, function, or script starts or stops.

Enabling Invocation Logging generates a high volume of event logs. 

  • Was this article helpful?